Bug 469581 - totem plugin not working in Enforcing mode
totem plugin not working in Enforcing mode
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-02 16:12 EST by Christopher Stone
Modified: 2009-01-08 14:12 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-08 14:12:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christopher Stone 2008-11-02 16:12:18 EST
Working from bug #469571, I attempted to remove all xine related rpms except for xine-libs.  I also removed mplayer rpms.  Now totem is the default media player for firefox.  However, I get a bunch of AVC denials with totem now too.  I've worked for hours with domg472_ on #fedora-selinux but his ultimate response was:
< domg472_> XulChris this is getting nasty. file a bugzilla
so here I am.

I'm not really sure what info to paste, I've been adding my own rules to try and fix it, but I'm at a point now where it only works in permissive mode and if i set enforcing mode I dont get any avc denial messages.  If I run semodule -DB and try, I get a lot like:
node=localhost.localdomain type=AVC msg=audit(1225659907.827:32771): avc: denied { connectto } for pid=29462 comm="totem" path=002F746D702F646275732D52454E5548594A717963 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket

ping me on #fedora-selinux if you need more info.  This is "nasty" and I don't know what I'm doing :(

Need help.

This is what I have so far, but these policy rules are mixed in with bug #469571 problems as well:
policy_module(mysplugin, 0.0.1)
require {
        type gconf_home_t;
        type nsplugin_t;
        type user_home_t;
        class sock_file unlink;
        class unix_dgram_socket sendto;
        class dir { write search create add_name getattr };
        class file rename;
}

#============= nsplugin_t ==============
allow nsplugin_t gconf_home_t:dir { write search add_name create getattr };
allow nsplugin_t self:unix_dgram_socket sendto;
allow nsplugin_t user_home_t:file rename;
allow nsplugin_t user_home_t:sock_file unlink;
apache_list_modules(nsplugin_t)
storage_raw_read_removable_device(nsplugin_t)
usermanage_read_crack_db(nsplugin_t)
Comment 1 Christopher Stone 2008-11-02 18:19:31 EST
Removing mozplugger fixes these problems.
Comment 2 Bug Zapper 2008-11-25 23:39:44 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.