1403553 – SELinux is preventing 57656220436F6E74656E74 from sendto access on the unix_dgram_socket

Bug 1403553 - SELinux is preventing 57656220436F6E74656E74 from sendto access on the unix_dgram_socket

Summary: SELinux is preventing 57656220436F6E74656E74 from sendto access on the unix_d...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	25
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Gecko Maintainer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-11 10:55 UTC by JayJayJazz
Modified:	2017-01-28 09:50 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-28 09:50:39 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1271401	high	CLOSED	SELinux policy prevents the NVIDIA 358.xx driver from updating the screen	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1316313	low	CLOSED	SELinux is preventing plugin-containe from 'sendto' accesses on the unix_dgram_socket @nvidiaf2aaa16b.	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1369627	low	CLOSED	SELinux is preventing plugin-containe from 'sendto' accesses on the unix_dgram_socket 006E766964696138323135663563660000...	2021-02-22 00:41:40 UTC

Description JayJayJazz 2016-12-11 10:55:10 UTC

Description of problem:
Received the following SELinux alert while browsing with Firefox 50.0.2

Version-Release number of selected component (if applicable):
Fedora 25
Firefox 50.0.2
selinux-policy-3.13.1-225.1.fc25.noarch
Kernel 4.8.12-300.fc25.x86_64

How reproducible:


Steps to Reproduce:
1. start Firefox
2. open chillmo.com
3. open rpmfusion.org

Actual results:
The SELinux alert pops-up.

Expected results:
I think it is good that the alert prevented the "sendto". But I´m unsure what this means.

Additional info:
All 3 packaged extensions are disabled in Firefox. No other Addons (like Flash) are installed.
I also think that the 2 pages I opened are trustworthy (of course as trustworthy as possible in these days).

Comment 1 JayJayJazz 2016-12-11 10:56:26 UTC

SELinux is preventing 57656220436F6E74656E74 from sendto access on the unix_dgram_socket 006E7669646961653338343162396400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that 57656220436F6E74656E74 should be allowed sendto access on the 006E7669646961653338343162396400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '57656220436F6E74656E74' --raw | audit2allow -M my-57656220436F6E74656E74
# semodule -X 300 -i my-57656220436F6E74656E74.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023
Target Objects                006E7669646961653338343162396400000000000000000000
                              00000000000000000000000000000000000000000000000000
                              0000000000000000000000000000 [ unix_dgram_socket ]
Source                        57656220436F6E74656E74
Source Path                   57656220436F6E74656E74
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.1.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.8.12-300.fc25.x86_64
                              #1 SMP Fri Dec 2 17:52:11 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-12-11 11:27:55 CET
Last Seen                     2016-12-11 11:27:55 CET
Local ID                      02da41fc-b8bb-45dd-a515-1e05a6008925

Raw Audit Messages
type=AVC msg=audit(1481452075.314:261): avc:  denied  { sendto } for  pid=2868 comm=57656220436F6E74656E74 path=006E7669646961653338343162396400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0


Hash: 57656220436F6E74656E74,mozilla_plugin_t,xserver_t,unix_dgram_socket,sendto

Comment 2 JayJayJazz 2016-12-11 10:57:14 UTC

Application Basics
------------------

Name: Firefox
Version: 50.0.2
Build ID: 20161130084405
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
OS: Linux 4.8.12-300.fc25.x86_64
Multiprocess Windows: 0/1 (Disabled)
Safe Mode: false

Extensions
----------

Name: Multi-process staged rollout
Version: 1.5
Enabled: true
ID: e10srollout

Name: Pocket
Version: 1.0.5
Enabled: true
ID: firefox

Name: Web Compat
Version: 1.0
Enabled: true
ID: webcompat

Graphics
--------

Features
Compositing: Basic
Asynchronous Pan/Zoom: none
WebGL Renderer: NVIDIA Corporation -- Quadro 3000M/PCIe/SSE2
WebGL2 Renderer: (no info)
Hardware H264 Decoding: No
Audio Backend: pulse
GPU #1
Active: Yes
Description: NVIDIA Corporation -- Quadro 3000M/PCIe/SSE2
Vendor ID: NVIDIA Corporation
Device ID: Quadro 3000M/PCIe/SSE2
Driver Version: 4.5.0 NVIDIA 375.20

Diagnostics
AzureCanvasAccelerated: 0
AzureCanvasBackend: skia
AzureContentBackend: cairo
AzureFallbackCanvasBackend: none
CairoUseXRender: 0
Decision Log
HW_COMPOSITING:
blocked by default: Acceleration blocked by platform
OPENGL_COMPOSITING:
unavailable by default: Hardware compositing is disabled




Important Modified Preferences
------------------------------

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.filesystem_reported: 1
browser.cache.disk.smart_size.first_run: false
browser.cache.frecency_experiment: 4
browser.download.importedFromSqlite: true
browser.places.smartBookmarksVersion: 8
browser.startup.homepage_override.buildID: 20161130084405
browser.startup.homepage_override.mstone: 50.0.2
browser.tabs.warnOnClose: false
browser.urlbar.daysBeforeHidingSuggestionsPrompt: 2
browser.urlbar.lastSuggestionsPromptDate: 20161203
browser.urlbar.userMadeSearchSuggestionsChoice: true
extensions.lastAppVersion: 50.0.2
media.gmp-manager.buildID: 20161130084405
media.gmp-manager.lastCheck: 1481450755
media.gmp.storage.version.observed: 1
network.cookie.cookieBehavior: 1
network.cookie.lifetimePolicy: 2
network.cookie.prefsMigrated: true
network.predictor.cleaned-up: true
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
plugin.state.libgnome-shell-browser-plugin: 0
plugin.state.librhythmbox-itms-detection-plugin: 0
privacy.clearOnShutdown.offlineApps: true
privacy.clearOnShutdown.siteSettings: true
privacy.donottrackheader.enabled: true
privacy.sanitize.sanitizeOnShutdown: true
privacy.trackingprotection.enabled: true
privacy.trackingprotection.introCount: 20
services.sync.declinedEngines:

Important Locked Preferences
----------------------------

Places Database
---------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.13.1
Version in use: 4.13.1

NSS
Expected minimum version: 3.27
Version in use: 3.27

NSSSMIME
Expected minimum version: 3.27
Version in use: 3.27

NSSSSL
Expected minimum version: 3.27
Version in use: 3.27

NSSUTIL
Expected minimum version: 3.27
Version in use: 3.27

Experimental Features
---------------------

Sandbox
-------

Seccomp-BPF (System Call Filtering): true
Seccomp Thread Synchronization: true
User Namespaces: true
Media Plugin Sandboxing: true

Comment 3 JayJayJazz 2016-12-11 11:15:39 UTC

Switched to SELinux Team.

It also might be connected to:
https://bugzilla.redhat.com/show_bug.cgi?id=1369627

Comment 4 JayJayJazz 2016-12-11 12:27:46 UTC

Added two other Bug reports. My alert looks a little bit like the one reported in 1316313 and 1271401. Could it be related to the nvidia graphics driver? I´m using 370.20 from rpmfusion repo.

Do I understand it correctly that the target should be the xserver?

It is still puzzling me, why the issuer should be "mozilla_plugin". None is enabled...

Comment 5 JayJayJazz 2017-01-28 09:50:39 UTC

Since there is some time passed, we are already at Firefox 51.0.1 and a newer version of the SELinux policy. So I will close this one.

Note You need to log in before you can comment on or make changes to this bug.