1110355 – SELinux is preventing /usr/lib64/firefox/plugin-container from 'name_bind' accesses on the tcp_socket .

Bug 1110355 - SELinux is preventing /usr/lib64/firefox/plugin-container from 'name_bind' accesses on the tcp_socket .

Summary: SELinux is preventing /usr/lib64/firefox/plugin-container from 'name_bind' ac...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:309eb743a4f7d82af8226204bd2...
Duplicates (1):	1084462 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-17 13:34 UTC by Ronen Hod
Modified:	2015-01-16 15:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.12.1-171.fc20
Clone Of:
Environment:
Last Closed:	2014-09-03 15:06:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
name_connect access denial (3.01 KB, text/plain) 2014-06-30 13:37 UTC, Aleksandar Kostadinov	no flags	Details
View All

Description Ronen Hod 2014-06-17 13:34:20 UTC

Description of problem:
Used BlueJeans on Firefox
SELinux is preventing /usr/lib64/firefox/plugin-container from 'name_bind' accesses on the tcp_socket .

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-container should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:jabber_router_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        plugin-containe
Source Path                   /usr/lib64/firefox/plugin-container
Port                          5347
Host                          (removed)
Source RPM Packages           firefox-30.0-4.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-166.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.14.7-200.fc20.x86_64 #1 SMP Wed
                              Jun 11 22:38:05 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-06-17 16:31:51 IDT
Last Seen                     2014-06-17 16:31:51 IDT
Local ID                      2a04e30b-9109-478a-9f1d-e98eb285a802

Raw Audit Messages
type=AVC msg=audit(1403011911.285:472): avc:  denied  { name_bind } for  pid=4992 comm="plugin-containe" src=5347 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:jabber_router_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1403011911.285:472): arch=x86_64 syscall=bind success=no exit=EACCES a0=29 a1=7f41b2ffb400 a2=10 a3=7f41b2ffb43c items=0 ppid=2516 pid=4992 auid=16365 uid=16365 gid=16365 euid=16365 suid=16365 fsuid=16365 egid=16365 sgid=16365 fsgid=16365 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: plugin-containe,mozilla_plugin_t,jabber_router_port_t,tcp_socket,name_bind

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.14.7-200.fc20.x86_64
type:           libreport

Comment 1 Daniel Walsh 2014-06-17 20:05:40 UTC

Yes we are working on a bluejeans boolean.

Looks like it is in Rawhide.


getsebool -a | grep bluejeans
mozilla_plugin_use_bluejeans --> off

Miroslav we need
ffdbf24da17cd8ef5daba860ef79a40080d80596

back ported to Fedora 20

Comment 2 Lukas Vrabec 2014-06-18 08:57:48 UTC

back ported.

Comment 3 Fedora Update System 2014-06-19 13:19:17 UTC

selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20

Comment 4 Fedora Update System 2014-06-19 22:53:27 UTC

Package selinux-policy-3.12.1-171.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2014-06-26 01:54:07 UTC

selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Aleksandar Kostadinov 2014-06-30 13:21:10 UTC

With the new policy I still see denials. I just did yum update. Should I do anything to reload the policy?

Comment 7 Aleksandar Kostadinov 2014-06-30 13:22:13 UTC

*** Bug 1084462 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2014-06-30 13:30:47 UTC

Are you getting the same AVC?

Comment 9 Miroslav Grepl 2014-06-30 13:31:14 UTC

Did you turn the mozilla_plugin_use_bluejeans boolean on?

Comment 10 Aleksandar Kostadinov 2014-06-30 13:37:30 UTC

Created attachment 913404 [details]
name_connect access denial

Thanks, I didn't understand I have to enable the boolean. But still there is an issue. This time it says: name_connect access on the tcp_socket.

Btw what does the boolean do? All plug-ins to perform these operations?

Comment 11 Lukas Vrabec 2014-09-02 13:07:39 UTC

Hi Aleksandar, 

What does:
$ getsebool -a | grep mozilla_plugin_use_bluejeans

If is the boolean off, you should set it on like: 
#setsebool mozilla_plugin_use_bluejeans=1

This should fix also your second issue. 

Please let me know if problem still persists.

Comment 12 Nick Coghlan 2014-09-03 01:15:29 UTC

As an additional datapoint: with the new boolean turned on, the Bluejeans plugin now works for me on Fedora 20 with SELinux in enforcing mode.

Comment 13 Lukas Vrabec 2014-09-03 15:06:38 UTC

Thank you for info. 
I close this issue.

Comment 14 Aleksandar Kostadinov 2014-09-08 06:04:19 UTC

Thanks, in this case should unconfined_mozilla_plugin_transition=0 or unconfined_mozilla_plugin_transition=1 ?

Comment 15 Aleksandar Kostadinov 2015-01-16 15:41:07 UTC

For anybody that wonders, fedora 21 / ff 34 it's working without any selinux denials with:

> $ getsebool -a | grep bluejeans
> mozilla_plugin_use_bluejeans --> on
> $ getsebool -a | grep unconfined_mozilla_plugin_transition
> unconfined_mozilla_plugin_transition --> off

Note You need to log in before you can comment on or make changes to this bug.