SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from read, write access on the chr_file /dev/nvidiactl. ***** Plugin device (91.4 confidence) suggests ***************************** If you want to allow plugin-container to have read write access on the nvidiactl chr_file Then you need to change the label on /dev/nvidiactl to a type of a similar device. Do # semanage fcontext -a -t SIMILAR_TYPE '/dev/nvidiactl' # restorecon -v '/dev/nvidiactl' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that plugin-container should be allowed read write access on the nvidiactl chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:device_t:s0 Target Objects /dev/nvidiactl [ chr_file ] Source plugin-containe Source Path /usr/lib64/xulrunner-2/plugin-container Port <알려지지 않음> Host (removed) Source RPM Packages xulrunner-2.0-0.25.b12.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.15-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux localhost.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen 2011년 03월 04일 (금) 오전 12시 38분 25초 Last Seen 2011년 03월 04일 (금) 오전 12시 41분 47초 Local ID 02a28763-d5c7-4501-99cb-947339466802 Raw Audit Messages type=AVC msg=audit(1299166907.21:181): avc: denied { read write } for pid=15760 comm="plugin-containe" path="/dev/nvidiactl" dev=devtmpfs ino=19229 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1299166907.21:181): arch=x86_64 syscall=ioctl success=yes exit=0 a0=11 a1=c01c4634 a2=7fff192e5720 a3=0 items=0 ppid=15694 pid=15760 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: plugin-containe,mozilla_plugin_t,device_t,chr_file,read,write audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t device_t:chr_file { read write }; audit2allow -R #============= mozilla_plugin_t ============== allow mozilla_plugin_t device_t:chr_file { read write };
The problem is the nvidia device is mislabeled. I believe this is a known bug with nvidiactl file restorecon /dev/nvidiactl Will fix.
Created attachment 482200 [details] After doing "restorecon /dev/nvidiactl", setroubleshoot message. When HW accel is disabled in adobe flash plugin, this issue is doesn't happen. Nvdia linux driver version is 270.30.
Thanks for other avc message. Will be fixed in the next F15 release.
We worked this out (With some help from NVIDIA). Closing as a dup of the bug where we came up with a solution. *** This bug has been marked as a duplicate of bug 748069 ***