Description of problem: In KDE SELinux is preventing totem-mozplugin from running in Firefox. After running semodule -DB in /var/log/audit/audit.log the following AVC appears: type=AVC msg=audit(1313518827.157:516): avc: denied { read write } for pid=2189 comm="totem-plugin-vi" name="card0" dev=devtmpfs ino=8261 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file Version-Release number of selected component (if applicable): selinux-policy-3.10.0-18.fc16.noarch How reproducible: always Steps to Reproduce: 1. Start a video in Firefox that uses totem-mozplugin 2. Video wont start 3. Actual results: The plugin doesn't start Expected results: The plugin starts Additional info:
Hi, Huh? After updating selinux to version -20 and start a video (using totem-mozplugin) I get the following AVC in audit.log: type=AVC msg=audit(1313585630.271:763): avc: denied { read } for pid=12277 comm="kde4-config" name="config" dev=sda6 ino=9779 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_usr_t:s0 tclass=dir In the current policy, it seems, the following dontaudit rules exists: "allow mozilla_plugin_t config_usr_t:dir { getattr search };" I don't know if this AVC is relevant? Martin Kho
You can turn the transition off setsebool -P unconfined_mozilla_plugin_transition 0 And then restart firefox. I will add the reading of the config_usr_t. I am not so sure about adding read write of the dri_device_t. You could build a custom policy of your own to allow this. grep mozilla_plugin_t /var/log/audit/audit.log | audit2allow -M mymozillaplugin semodule -i mymozillaplugin.pp
Hi Daniel, Turning the transition off didn't help. I got the socket[1] issue back. Next I created a custom policy. That worked, of course :-) Then I disabled the following allow rule in the .te file: # allow mozilla_plugin_t dri_device_t:chr_file { read write } rebuild the policy manually and reloaded it into the kernel. Totem-mozplugin worked as expected. So read write of the dri_device_t seems to be unnecessary. For your reference, I' ll upload the .te file. Martin Kho [1] https://bugzilla.redhat.com/show_bug.cgi?id=729707
Created attachment 519599 [details] mymozillaplugin module
Hi, I'm running F16 now and haven't seen this issue. So this report can be closed, I suppose, Thanks, Martin Kho
Hi, Final I mean :-) Martin Kho