Description of problem: When I open a website in Firefox that contains flash content, Firefox 'hangs' for a rather long time (~30 seconds). After visiting more websites 'ps ax' shows many of the following lines: "/usr/lib64/xulrunner-2/plugin-container /usr/lib64/mozilla/plugins/libgnashplugin.so -grebase /usr/lib64/xulrunner-2 -appbase /usr/lib64/firefox-5 5949 true plugin" As a work around I run selinux in permissive mode. This is why I opened a report against selinux. Version-Release number of selected component (if applicable): * selinux-policy-3.10.0-15.fc16.noarch * firefox-5.0-2.fc16.x86_64 * xulrunner-5.0-5.fc16.x86_64 * gnash-plugin-0.8.9-5.fc16.x86_64 How reproducible: Always, when visiting websites that contain flash content Steps to Reproduce: 1. Open website that contains flash content (e.g. http://arstechnica.com) 2. Take a cup of coffee :-) 3. Actual results: Firefox 'hangs' for a while Expected results: Firefox is responsive Additional info: A few weeks a go there was a report that exactly described this issue, but I couldn't find it ;-( So may be the issue is related to an other component. If so please let me know.
Are you seeing any AVC messagees?
Hi Daniel, Sorry, forgot to mention. There are no messages in /var/log/audit/audit.log. That's really strange with this issue. Martin Kho
Try to execute # semodule -DB and re-test it.
Hi Miroslav, Sorry, but no success ;-( What I did: 1. change SELINUX=permissive to enforcing 2. reboot 3. run semodule -DB 4. run Firefox and go to arstechnica,com 5. reboot 6. run again Firefox and go to arstechnica.com Martin Kho
We are looking for the AVC messages related to running firefox with dontaudit rules disabled. semodule -DB Will disable dontaudit rules. No reboot required. semodule -B Will turn them back on.
Hi Daniel, dmesg shows the following avc's: [ 223.361862] type=1400 audit(1313077457.220:269): avc: denied { write } for pid=1604 comm="plugin-containe" path="/home/martin/.xsession-errors" dev=sda6 ino=262178 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file [ 223.362231] type=1400 audit(1313077457.220:270): avc: denied { write } for pid=1604 comm="plugin-containe" path="/home/martin/.xsession-errors" dev=sda6 ino=262178 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file [ 223.362443] type=1400 audit(1313077457.221:271): avc: denied { read write } for pid=1604 comm="plugin-containe" path="socket:[27219]" dev=sockfs ino=27219 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket [ 223.362650] type=1400 audit(1313077457.221:272): avc: denied { read write } for pid=1604 comm="plugin-containe" path="socket:[27043]" dev=sockfs ino=27043 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket In /var/log/audit/audit.log appears nothing Hope this helps, Martin Kho
See if those fix your problem. # grep mozilla_plugin_t /var/log/audit/audit.log | grep stream | audit2allow -M mymozillaplugin # semodule -i mymozillaplugin.pp And then see if firefox works.
The first command gives the following error: compilation failed: mymozillaplugin.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mymozillaplugin.te cat mymozillaplugin.te: module mymozillaplugin 1.0; Martin Kho
Looks like it did not find any avcs.
Hi, It looks like that after July 30 no messages are written to autid.log -rw-------. 1 root root 2381574 Jul 30 10:09 /var/log/audit/audit.log Any ideas about this?
Hi, Found! systemd issue. I had to run systemctl enable auditd.service. After executing the commands from comment #7 Firefox works fine. Thanks, Martin Kho
Fixed in selinux-policy-3.10.0-19.fc16
selinux-policy-3.10.0-18.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-18.fc16
Hi, Updated to 3.10.0-18 (comment 13), but it didn't solve the issue. May be I did something wrong. 1. I removed module mymozillaplugin (semodule -r <module>) 2. Updated selinx-policy[-targeted] 3. rebooted 4. run Firefox and went to arstechnica.com Martin Kho Note: I'll attach the mymozillaplugin.te file
Created attachment 517896 [details] mymozillaplugin.te
Package selinux-policy-3.10.0-18.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-18.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-18.fc16 then log in and leave karma (feedback).
As I said it would be fixed in -19 not -18. Miroslav must have accidentally included this bug.
Hi Daniel, Reading is also a competency :-) Sorry! Martin Kho
selinux-policy-3.10.0-18.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Hi, Version -18 didn't solve this issue, but -20 (from koji) did :-) Thanks, Martin Kho