Description of problem: When using xguest, dragging images, or download links, or what have you, to the Desktop (or to other folders), fails. The error given is: Error while copying. There was an error getting information about "Falcon-0.8.8-3.fc9.x86_64.rpm" > HTTP Error: Cannot connect to destination [ Cancel ] [ Skip All ] [ Skip ] [ Retry ] ausearch says: type=AVC msg=audit(1212697130.615:61): avc: denied { name_connect } for pid=3196 comm="gvfsd-http" dest=80 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): nautilus-2.22.2-7.fc9.x86_64 gvfs-0.2.3-11.fc9.x86_64 firefox-3.0-0.60.beta5.fc9.x86_64 xguest-1.0.6-7.fc9.noarch selinux-policy-3.3.1-55.fc9.noarch How reproducible: Every time Steps to Reproduce: 1. Log in via xguest 2. Start firefox 3. Drag something Actual results: Error Expected results: No error
Similarly, 'Connect to Server' is broken for things like FTP: type=AVC msg=audit(1212697375.944:65): avc: denied { name_connect } for pid=3281 comm="gvfsd-ftp" dest=21 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
So should we label these mozilla_exec_t? Should we allow this for a limited priv account like xguest?
CCing gvfs people.
If we believe this functionality should work for an xguest/kiosk user, we can label these executables mozilla_exec_t which will just work with unconfined and other confined users, but if you have a completely confined domain like xguest, these apps will be allowed to access httpd/ftp ports.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.