Bug 1299697 - SELinux prevents firefox from showing installed gnome shell extensions when viewing extensions.gnome.org
Summary: SELinux prevents firefox from showing installed gnome shell extensions when v...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-19 02:48 UTC by Garrett Mitchener
Modified: 2016-01-29 13:33 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-29 13:33:38 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Garrett Mitchener 2016-01-19 02:48:50 UTC 
Description of problem:

You can install GNOME shell extensions through firefox. However, SELinux seems to be preventing the firefox plugin that does this from communicating with GNOME shell.


Version-Release number of selected component (if applicable):

firefox-43.0.3-1.fc23.i686
gnome-shell-3.18.3-1.fc23.i686
selinux-policy-3.13.1-158.fc23.noarch
selinux-policy-targeted-3.13.1-158.fc23.noarch


How reproducible:

Very consistent


Steps to Reproduce:

Log into GNOME

Open firefox and go to https://extensions.gnome.org/local/

It should show a list of installed gnome shell extensions

Instead, the page is mostly empty.

However, if I go to a terminal and run `setenforce permissive` as root, then reload the web page, my installed extensions show up.


Additional info:

I got these messages when running firefox in a terminal, with SELinux still in enforcing mode:


(plugin-container:14564): GnomeShellBrowserPlugin-WARNING **: Failed to grab shell version.

(plugin-container:14564): GnomeShellBrowserPlugin-WARNING **: Failed to retrieve extension list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.149" (uid=1000 pid=14564 comm="/usr/lib/firefox/plugin-container /usr/lib/mozilla") interface="org.gnome.Shell.Extensions" member="ListExtensions" error name="(unset)" requested_reply="0" destination=":1.33" (uid=1000 pid=5618 comm="/usr/bin/gnome-shell ")

That's what led me to try permissive mode.
Comment 1 Lukas Vrabec 2016-01-20 09:39:19 UTC 
HI, 
Could you reproduce this issue and after that attach:
#ausearch -m AVC -ts recent 

Thank you.
Comment 2 Phil 2016-01-20 13:55:34 UTC 
Hi,

this might be a duplicate of 1299219.

Regards,
Phil
Comment 3 Miroslav Grepl 2016-01-21 08:31:18 UTC 
Yes, what does

ausearch -m user_avc -ts recent

?
Comment 4 Phil 2016-01-21 08:46:40 UTC 
it says "<no matches>".
Comment 5 Garrett Mitchener 2016-01-21 14:02:59 UTC 
I also get <no matches> from both

ausearch -m AVC -ts recent
ausearch -m user_avc -ts recent
Comment 6 Garrett Mitchener 2016-01-21 14:06:10 UTC 
Looking through the output of journalctl, there's this line:

Jan 21 08:53:27 grograman evolution.desktop[12039]: (plugin-container:2284): GnomeShellBrowserPlugin-WARNING **: Failed to retrieve extension list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.186" (uid=1000 pid=2284 comm="/usr/lib64/firefox/plugin-container /usr/lib64/moz") interface="org.gnome.Shell.Extensions" member="ListExtensions" error name="(unset)" requested_reply="0" destination=":1.34" (uid=1000 pid=3777 comm="/usr/bin/gnome-shell ")
Comment 7 Couret Charles-Antoine 2016-01-27 12:51:15 UTC 
Resolved for me after updates.
Comment 8 marcvw 2016-01-28 08:06:21 UTC 
Also fixed for me on 3 hosts, although without updates :)
Comment 9 Miroslav Grepl 2016-01-29 13:33:38 UTC 
Than you.
Note You need to log in before you can comment on or make changes to this bug.