732841 – SELinux prevented "totem-plugin-viewer" read write on 'card0'

Bug 732841 - SELinux prevented "totem-plugin-viewer" read write on 'card0'

Summary: SELinux prevented "totem-plugin-viewer" read write on 'card0'

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-23 20:46 UTC by Martin Kho
Modified:	2011-11-21 23:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-21 23:06:16 UTC
Dependent Products:

Attachments	(Terms of Use)
mymozillaplugin module (3.05 KB, application/octet-stream) 2011-08-24 10:08 UTC, Martin Kho	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Description Martin Kho 2011-08-23 20:46:11 UTC

Description of problem:

In KDE SELinux is preventing totem-mozplugin from running in Firefox.

After running semodule -DB in /var/log/audit/audit.log the following AVC appears:

type=AVC msg=audit(1313518827.157:516): avc:  denied  { read write } for  pid=2189 comm="totem-plugin-vi" name="card0" dev=devtmpfs ino=8261 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-18.fc16.noarch

How reproducible:
always

Steps to Reproduce:
1. Start a video in Firefox that uses totem-mozplugin
2. Video wont start
3.
  
Actual results:
The plugin doesn't start

Expected results:
The plugin starts

Additional info:

Comment 1 Martin Kho 2011-08-23 21:17:24 UTC

Hi,

Huh?

After updating selinux to version -20 and start a video (using totem-mozplugin) I get the following AVC in audit.log:

type=AVC msg=audit(1313585630.271:763): avc:  denied  { read } for  pid=12277 comm="kde4-config" name="config" dev=sda6 ino=9779 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_usr_t:s0 tclass=dir

In the current policy, it seems, the following dontaudit rules exists: "allow mozilla_plugin_t config_usr_t:dir { getattr search };"

I don't know if this AVC is relevant?

Martin Kho

Comment 2 Daniel Walsh 2011-08-24 02:20:02 UTC

You can turn the transition off 

setsebool -P unconfined_mozilla_plugin_transition 0

And then restart firefox.

I will add the reading of the config_usr_t.  I am not so sure about adding read write of the dri_device_t.  

You could build a custom policy of your own to allow this.

grep mozilla_plugin_t /var/log/audit/audit.log | audit2allow -M mymozillaplugin
semodule -i mymozillaplugin.pp

Comment 3 Martin Kho 2011-08-24 10:07:32 UTC

Hi Daniel,

Turning the transition off didn't help. I got the socket[1] issue back. Next I created a custom policy. That worked, of course :-) Then I disabled the following allow rule in the .te file:

# allow mozilla_plugin_t dri_device_t:chr_file { read write }

rebuild the policy manually and reloaded it into the kernel.

Totem-mozplugin worked as expected. So read write of the dri_device_t seems to be unnecessary.

For your reference, I' ll upload the .te file.

Martin Kho

[1] https://bugzilla.redhat.com/show_bug.cgi?id=729707

Comment 4 Martin Kho 2011-08-24 10:08:15 UTC

Created attachment 519599 [details]
mymozillaplugin module

Comment 5 Martin Kho 2011-11-21 21:11:02 UTC

Hi,

I'm running F16 now and haven't seen this issue. So this report can be closed, I suppose,


Thanks,

Martin Kho

Comment 6 Martin Kho 2011-11-21 21:11:48 UTC

Hi,

Final I mean :-)


Martin Kho

Note You need to log in before you can comment on or make changes to this bug.