Bug 1299697 - SELinux prevents firefox from showing installed gnome shell extensions when viewing extensions.gnome.org
SELinux prevents firefox from showing installed gnome shell extensions when v...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-18 21:48 EST by Garrett Mitchener
Modified: 2016-01-29 08:33 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-29 08:33:38 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Garrett Mitchener 2016-01-18 21:48:50 EST
Description of problem:

You can install GNOME shell extensions through firefox. However, SELinux seems to be preventing the firefox plugin that does this from communicating with GNOME shell.


Version-Release number of selected component (if applicable):

firefox-43.0.3-1.fc23.i686
gnome-shell-3.18.3-1.fc23.i686
selinux-policy-3.13.1-158.fc23.noarch
selinux-policy-targeted-3.13.1-158.fc23.noarch


How reproducible:

Very consistent


Steps to Reproduce:

Log into GNOME

Open firefox and go to https://extensions.gnome.org/local/

It should show a list of installed gnome shell extensions

Instead, the page is mostly empty.

However, if I go to a terminal and run `setenforce permissive` as root, then reload the web page, my installed extensions show up.


Additional info:

I got these messages when running firefox in a terminal, with SELinux still in enforcing mode:


(plugin-container:14564): GnomeShellBrowserPlugin-WARNING **: Failed to grab shell version.

(plugin-container:14564): GnomeShellBrowserPlugin-WARNING **: Failed to retrieve extension list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.149" (uid=1000 pid=14564 comm="/usr/lib/firefox/plugin-container /usr/lib/mozilla") interface="org.gnome.Shell.Extensions" member="ListExtensions" error name="(unset)" requested_reply="0" destination=":1.33" (uid=1000 pid=5618 comm="/usr/bin/gnome-shell ")

That's what led me to try permissive mode.
Comment 1 Lukas Vrabec 2016-01-20 04:39:19 EST
HI, 
Could you reproduce this issue and after that attach:
#ausearch -m AVC -ts recent 

Thank you.
Comment 2 Phil 2016-01-20 08:55:34 EST
Hi,

this might be a duplicate of 1299219.

Regards,
Phil
Comment 3 Miroslav Grepl 2016-01-21 03:31:18 EST
Yes, what does

ausearch -m user_avc -ts recent

?
Comment 4 Phil 2016-01-21 03:46:40 EST
it says "<no matches>".
Comment 5 Garrett Mitchener 2016-01-21 09:02:59 EST
I also get <no matches> from both

ausearch -m AVC -ts recent
ausearch -m user_avc -ts recent
Comment 6 Garrett Mitchener 2016-01-21 09:06:10 EST
Looking through the output of journalctl, there's this line:

Jan 21 08:53:27 grograman evolution.desktop[12039]: (plugin-container:2284): GnomeShellBrowserPlugin-WARNING **: Failed to retrieve extension list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.186" (uid=1000 pid=2284 comm="/usr/lib64/firefox/plugin-container /usr/lib64/moz") interface="org.gnome.Shell.Extensions" member="ListExtensions" error name="(unset)" requested_reply="0" destination=":1.34" (uid=1000 pid=3777 comm="/usr/bin/gnome-shell ")
Comment 7 Couret Charles-Antoine 2016-01-27 07:51:15 EST
Resolved for me after updates.
Comment 8 marcvw 2016-01-28 03:06:21 EST
Also fixed for me on 3 hosts, although without updates :)
Comment 9 Miroslav Grepl 2016-01-29 08:33:38 EST
Than you.

Note You need to log in before you can comment on or make changes to this bug.