Bug 729707 - SELinux is 'blocking' Firefox's plugin-container
Summary: SELinux is 'blocking' Firefox's plugin-container
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-10 15:17 UTC by Martin Kho
Modified: 2011-08-23 21:00 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-18.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-08-23 20:25:48 UTC

Attachments (Terms of Use)
mymozillaplugin.te (247 bytes, text/plain)
2011-08-11 21:18 UTC, Martin Kho
no flags Details

Description Martin Kho 2011-08-10 15:17:28 UTC
Description of problem:
When I open a website in Firefox that contains flash content, Firefox 'hangs' for a rather long time (~30 seconds). After visiting more websites 'ps ax' shows many of the following lines:

"/usr/lib64/xulrunner-2/plugin-container /usr/lib64/mozilla/plugins/libgnashplugin.so -grebase /usr/lib64/xulrunner-2 -appbase /usr/lib64/firefox-5 5949 true plugin"

As a work around I run selinux in permissive mode. This is why I opened a report against selinux.

Version-Release number of selected component (if applicable):
* selinux-policy-3.10.0-15.fc16.noarch
* firefox-5.0-2.fc16.x86_64
* xulrunner-5.0-5.fc16.x86_64
* gnash-plugin-0.8.9-5.fc16.x86_64

How reproducible:
Always, when visiting websites that contain flash content

Steps to Reproduce:
1. Open website that contains flash content (e.g. http://arstechnica.com)
2. Take a cup of coffee :-)
Actual results:
Firefox 'hangs' for a while

Expected results:
Firefox is responsive

Additional info:
A few weeks a go there was a report that exactly described this issue, but I couldn't find it ;-( So may be the issue is related to an other component. If so please let me know.

Comment 1 Daniel Walsh 2011-08-10 15:25:20 UTC
Are you seeing any AVC messagees?

Comment 2 Martin Kho 2011-08-10 15:32:26 UTC
Hi Daniel,

Sorry, forgot to mention. There are no messages in /var/log/audit/audit.log. That's really strange with this issue.

Martin Kho

Comment 3 Miroslav Grepl 2011-08-11 12:21:32 UTC
Try to execute

# semodule -DB

and re-test it.

Comment 4 Martin Kho 2011-08-11 13:42:17 UTC
Hi Miroslav,

Sorry, but no success ;-(

What I did:
1. change SELINUX=permissive to enforcing
2. reboot
3. run semodule -DB
4. run Firefox and go to arstechnica,com
5. reboot
6. run again Firefox and go to arstechnica.com

Martin Kho

Comment 5 Daniel Walsh 2011-08-11 15:24:11 UTC
We are looking for the AVC messages related to running firefox with dontaudit rules disabled.

semodule -DB 

Will disable dontaudit rules.  No reboot required.

semodule -B

Will turn them back on.

Comment 6 Martin Kho 2011-08-11 15:49:08 UTC
Hi Daniel,

dmesg shows the following avc's:

[  223.361862] type=1400 audit(1313077457.220:269): avc:  denied  { write } for  pid=1604 comm="plugin-containe" path="/home/martin/.xsession-errors" dev=sda6 ino=262178 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file

[  223.362231] type=1400 audit(1313077457.220:270): avc:  denied  { write } for  pid=1604 comm="plugin-containe" path="/home/martin/.xsession-errors" dev=sda6 ino=262178 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file

[  223.362443] type=1400 audit(1313077457.221:271): avc:  denied  { read write } for  pid=1604 comm="plugin-containe" path="socket:[27219]" dev=sockfs ino=27219 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

[  223.362650] type=1400 audit(1313077457.221:272): avc:  denied  { read write } for  pid=1604 comm="plugin-containe" path="socket:[27043]" dev=sockfs ino=27043 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

In /var/log/audit/audit.log appears nothing

Hope this helps,

Martin Kho

Comment 7 Daniel Walsh 2011-08-11 15:59:16 UTC
See if those fix your problem.

# grep mozilla_plugin_t /var/log/audit/audit.log | grep stream | audit2allow -M mymozillaplugin
# semodule -i mymozillaplugin.pp

And then see if firefox works.

Comment 8 Martin Kho 2011-08-11 16:14:30 UTC
The first command gives the following error:

compilation failed:
mymozillaplugin.te:6:ERROR 'syntax error' at token '' on line 6:

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mymozillaplugin.te

cat mymozillaplugin.te:

module mymozillaplugin 1.0;

Martin Kho

Comment 9 Daniel Walsh 2011-08-11 17:03:42 UTC
Looks like it did not find any avcs.

Comment 10 Martin Kho 2011-08-11 17:21:21 UTC

It looks like that after July 30 no messages are written to autid.log

-rw-------. 1 root root 2381574 Jul 30 10:09 /var/log/audit/audit.log

Any ideas about this?

Comment 11 Martin Kho 2011-08-11 17:32:22 UTC

Found! systemd issue. I had to run systemctl enable auditd.service.

After executing the commands from comment #7 Firefox works fine.


Martin Kho

Comment 12 Daniel Walsh 2011-08-11 19:05:13 UTC
Fixed in selinux-policy-3.10.0-19.fc16

Comment 13 Fedora Update System 2011-08-11 20:34:54 UTC
selinux-policy-3.10.0-18.fc16 has been submitted as an update for Fedora 16.

Comment 14 Martin Kho 2011-08-11 21:17:20 UTC

Updated to 3.10.0-18 (comment 13), but it didn't solve the issue. May be I did something wrong.

1. I removed module mymozillaplugin (semodule -r <module>)
2. Updated selinx-policy[-targeted]
3. rebooted
4. run Firefox and went to arstechnica.com

Martin Kho

Note: I'll attach the mymozillaplugin.te file

Comment 15 Martin Kho 2011-08-11 21:18:31 UTC
Created attachment 517896 [details]

Comment 16 Fedora Update System 2011-08-12 04:22:14 UTC
Package selinux-policy-3.10.0-18.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-18.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 17 Daniel Walsh 2011-08-12 10:30:51 UTC
As I said it would be fixed in -19 not -18.  Miroslav must have accidentally included this bug.

Comment 18 Martin Kho 2011-08-12 10:35:06 UTC
Hi Daniel,

Reading is also a competency :-) Sorry!

Martin Kho

Comment 19 Fedora Update System 2011-08-23 20:25:09 UTC
selinux-policy-3.10.0-18.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Martin Kho 2011-08-23 21:00:39 UTC

Version -18 didn't solve this issue, but -20 (from koji) did :-)


Martin Kho

Note You need to log in before you can comment on or make changes to this bug.