Bug 727727 - plugin-container + flash = hang (F16 only)
Summary: plugin-container + flash = hang (F16 only)
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: CommonBugs
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-03 03:34 UTC by Bill Nottingham
Modified: 2018-04-11 16:52 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.10.0-21.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-07 03:19:32 UTC

Attachments (Terms of Use)

Description Bill Nottingham 2011-08-03 03:34:17 UTC
Description of problem:

The combination of plugin-container & the flash plugin causes page loads to hang (presumably hitting the 45 second timeout).

This occurs on a F-16 upgraded system. It did not happen on F-15, despite the versions of FF/XR being materially the same.

Happens with flash 10 (64-bit), flash 11 (64-bit) and nspluginwrapper-wrapped flash-10 (32-bit)

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Enable flash plugin and dom.ipc.plugins.enabled
2. Go to a flash page
Actual results:

Watch Firefox freeze for quite a while.

Expected results:

Not that.

Additional info:

Backtraces of FF & plugin-container threads aren't obviously useful - poll(), pthread_cond_wait, epoll().

Comment 1 Matěj Cepl 2011-08-03 06:41:40 UTC
Could you suggest some specific page? Youtube is now mostly HTML5 for me, I tried also vimeo, but neither there nor there I saw any significant delays. Is it more about flash video sites, or some specific application (i.e., flash more like a programming environment)?

It means I have to ask for normal Firefox troubleshooting routine:

1) Are you able to reproduce this when running firefox with all addons disabled?
2) Are you able to reproduce the problem with the upstream binary from
3) Are you able to reproduce the problem with a fresh profile?

Thanks in advance.

Comment 2 Bill Nottingham 2011-08-03 16:06:43 UTC
Embedded video links with youtube's flash player is where I noticed it most often.

With respect to the questions:

1) Not sure how to parse this. I obviously can't reproduce a hang with the flash plugin when the flash plugin is disabled, but not sure that helps. If I turn off the plugin container code, flash doesn't cause a delay. (Of course, it then takes the entire process down when it crashes. Tradeoffs...)
2) Haven't tried yet.
3) Yes.

Comment 3 Bill Nottingham 2011-08-03 17:08:45 UTC
Clarification on #1 - it still happens when disabling all add-ons, and all plugins except flash.

Comment 4 Bill Nottingham 2011-08-03 17:36:28 UTC
Doesn't happen with upstream FF when installed in my homedir, but if it's moved to the system directory, it does. Turns out it's SELinux.

audit2allow in permissive mode implies:

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t unconfined_t:sem { read unix_read write unix_write associate };
allow mozilla_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read destroy };

is needed.

Comment 5 Daniel Walsh 2011-08-03 19:30:59 UTC
Miroslav add

	allow mozilla_plugin_t $1:shm rw_shm_perms;
	allow mozilla_plugin_t $1:sem create_sem_perms;



Comment 6 Miroslav Grepl 2011-08-04 09:29:18 UTC
Fixed in selinux-policy-3.10.0-15.fc16

Comment 7 Adam Williamson 2011-08-16 19:57:28 UTC
No, it isn't.

my bug #717087 is the same as this, we should dupe one of them off. This still happens with selinux-policy -18, for me. As I noted in my bug, this affects all Flash plugins - or at least Adobe 10, Adobe 11, and gnash.

Comment 8 Adam Williamson 2011-08-16 19:59:42 UTC
I don't seem to get any selinux alerts, although there is an odd message in /var/log/messages :

Aug 16 12:57:10 adam setroubleshoot: [avc.ERROR] Plugin Exception catchall_labels #012Traceback (most recent call last):#012  File "/usr/lib64/python2.7/site-packages/setroubleshoot/analyze.py", line 191, in analyze_avc#012    report = plugin.analyze(avc)#012  File "/usr/share/setroubleshoot/plugins/catchall_labels.py", line 53, in analyze#012    return self.report(avc.allowed_target_types())#012  File "/usr/lib64/python2.7/site-packages/setroubleshoot/audit_data.py", line 676, in allowed_target_types#012    return map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: self.scontext.type, CLASS: self.tclass, PERMS: self.access}))#012  File "/usr/lib64/python2.7/site-packages/setroubleshoot/sesearch/__init__.py", line 30, in sesearch#012    dict_list = _sesearch.search(info)#012SystemError: NULL object passed to Py_BuildValue

around the time I started Firefox with selinux in Enforcing mode. But it's definitely still this bug. No delays and Flash works in Permissive mode, 45 second delay and Flash fails in Enforcing. I'm on Flash 11B1 atm.

Comment 9 Adam Williamson 2011-08-16 20:40:38 UTC
Bug #729707 is also this.

Comment 10 Adam Williamson 2011-08-16 20:41:06 UTC
Dan seems to think it'll be fixed in -19, based on a comment in that bug.

Comment 11 Daniel Walsh 2011-08-17 12:47:36 UTC
Fixed in selinux-policy-3.10.0-19.fc16

Comment 12 Fedora Update System 2011-08-24 11:38:45 UTC
selinux-policy-3.10.0-21.fc16 has been submitted as an update for Fedora 16.

Comment 13 Fedora Update System 2011-08-24 22:45:44 UTC
Package selinux-policy-3.10.0-21.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-21.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2011-09-07 03:18:53 UTC
selinux-policy-3.10.0-21.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.