Description of problem: SELinux is preventing /usr/lib64/firefox/plugin-container from 'read' accesses on the lnk_file . ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-container should be allowed read access on the lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep Browser /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:ecryptfs_t:s0 Target Objects [ lnk_file ] Source Browser Source Path /usr/lib64/firefox/plugin-container Port <Unknown> Host (removed) Source RPM Packages firefox-29.0.1-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-158.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.14.4-200.fc20.x86_64 #1 SMP Tue May 13 13:51:08 UTC 2014 x86_64 x86_64 Alert Count 6 First Seen 2014-05-20 23:40:12 CEST Last Seen 2014-05-20 23:40:25 CEST Local ID a4e790e7-a4e5-4b35-ac1a-2ebf96b4d301 Raw Audit Messages type=AVC msg=audit(1400622025.309:415): avc: denied { read } for pid=3572 comm="Browser" name="langpack-cs.org.xpi" dev="ecryptfs" ino=1184357 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1400622025.309:415): arch=x86_64 syscall=open success=no exit=EACCES a0=7f5d43344308 a1=0 a2=0 a3=7f5d30798060 items=0 ppid=3396 pid=3572 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=Browser exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: Browser,mozilla_plugin_t,ecryptfs_t,lnk_file,read Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.14.4-200.fc20.x86_64 type: libreport
I am not absolutely sure what concern this error message and I think that 1.) mozplugger (99.1 confidence) is Streaming Multimedia Plugin for Unix Mozilla Plugger 5.1.3 http://fredrik.hubbe.net/plugger.html I want my firefox browser to play multimedia files so I ran suggested # setsebool -P unconfined_mozilla_plugin_transition 0 2.) Plugin catchall (1.81 confidence) is general plugin-container process I dont know if restriced access on lnk_file by default should be bug. What access to a linked file was restricted? If "langpack-cs.org.xpi" I have no problem running suggested # grep Browser /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp rather than turning off SELinux watching any /usr/lib64/firefox/plugin-container activity.
Or maybe this error message was caused because of using encrypted home directory?
(In reply to jakub.kopriva from comment #2) > Or maybe this error message was caused because of using encrypted home > directory? Yes. Could you please try to run $ restorecon -R -v ~/ to see if it fixes labeling. Thank you.
(In reply to Miroslav Grepl from comment #3) > (In reply to jakub.kopriva from comment #2) > > Or maybe this error message was caused because of using encrypted home > > directory? > > Yes. Could you please try to run > > > $ restorecon -R -v ~/ > > > to see if it fixes labeling. Thank you. Thanks, I tried. Actually that message bug appeared only once as I launched firefox. Before it I restarted after updating via 'yum update kernel* selinux-policy*'
Did the relabel fix the problem?
(In reply to Daniel Walsh from comment #5) > Did the relabel fix the problem? I think running restorecon -R -v ~/ was not necessary but whatever caused that problem it never appeared again.
I am fixing *_ecryptfs_home_dirs booleans.
selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20
Package selinux-policy-3.12.1-167.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20 then log in and leave karma (feedback).
I reinstalled fedora 20 completely and replaced gnome desktop with xfce and system is now much faster. Yes I ran # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20' also. Now I don't receive error messages about kernel. I have SELinux-policy is set to Enforcing by default. Would I receive SELinux error messages if I set SELinux policy to Permissive? Is that caused because of using xfce instead of gnome version?
selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20
Package selinux-policy-3.12.1-171.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.