Bug 807641
Summary: | SELinux is preventing /usr/bin/nspluginviewer from using the 'signal' accesses on a process. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Karel Volný <kvolny> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl, rdieter |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:fd8249d4edec1088e8080696d1a0f120ea070bbc7563e003f24eaa15aead6c8e | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-11-05 18:42:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Karel Volný
2012-03-28 11:52:57 UTC
Karel, how did you get this one? Not something we want to allow, a confined plugin killing user processes. (In reply to comment #1) > Karel, > how did you get this one? fresh install of Fedora 17 Alpha I've tried to watch a video on youtube in Konqueror I don't remember exactly, but I think this was with KHTML and gnash-klash (I've tried various combinations until I've found that WebKit + gnash-plugin is the one that works) (In reply to comment #2) > Not something we want to allow, a confined plugin killing user processes. I don't understand the messages exactly, but what I believe that happened is that nspluginviewer tried to kill the plugin it was running which I'd say is perfectly legal for it - it acts as a wrapper and it should be able to shot down any misbehaving process under its control so I see it as a problem how to determine whether it tries to kill the right process to allow that and disallow touching others Well the AVC's indicate the reverse. The plugin mozilla_plugin_t is sending a kill signal to an unconfined_t. Did everything seem to work, other then the AVC was generated? I have a fealing we are running a part of the process under unconfined_t that should probably be running under npviewer/mozilla_plugin_t and then the signal would have been allowed. (In reply to comment #5) > Did everything seem to work, other then the AVC was generated? no, the video did not play I was playing with various combinations of Konqueror KHTML/WebKit - gnash-klahs/gnash-plugin today too, and I haven't seen such messages any more - however, now it seems that YT uses HTML5 instead of Flash for playback in Konqueror ... so I guess I'll need to find another reproducer site (it hasn't happened on Adobe's about Flash web page) Are you still getting this? (In reply to comment #7) > Are you still getting this? no, because I'm using Adobe's Flash instead of Gnash/Klash :) as I'm a bit tired by the Gnash development (or better say, lack of), I don't have any interest in investigating this further feel free to close this or just try to reproduce yourself sorry for the bugzilla noise, half a year ago I was a bit more optimistic about getting this to work (and sorry guys for using this piece of sh...software with such a long list of security issues, but it just works, and as long as we have to use sites like instructor.cz, I can hardly live without Flash support ...) *** Bug 985544 has been marked as a duplicate of this bug. *** |