Bug 732841 - SELinux prevented "totem-plugin-viewer" read write on 'card0'
Summary: SELinux prevented "totem-plugin-viewer" read write on 'card0'
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-23 20:46 UTC by Martin Kho
Modified: 2011-11-21 23:06 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-11-21 23:06:16 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
mymozillaplugin module (3.05 KB, application/octet-stream)
2011-08-24 10:08 UTC, Martin Kho
no flags Details

Description Martin Kho 2011-08-23 20:46:11 UTC
Description of problem:

In KDE SELinux is preventing totem-mozplugin from running in Firefox.

After running semodule -DB in /var/log/audit/audit.log the following AVC appears:

type=AVC msg=audit(1313518827.157:516): avc:  denied  { read write } for  pid=2189 comm="totem-plugin-vi" name="card0" dev=devtmpfs ino=8261 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-18.fc16.noarch

How reproducible:
always

Steps to Reproduce:
1. Start a video in Firefox that uses totem-mozplugin
2. Video wont start
3.
  
Actual results:
The plugin doesn't start

Expected results:
The plugin starts

Additional info:

Comment 1 Martin Kho 2011-08-23 21:17:24 UTC
Hi,

Huh?

After updating selinux to version -20 and start a video (using totem-mozplugin) I get the following AVC in audit.log:

type=AVC msg=audit(1313585630.271:763): avc:  denied  { read } for  pid=12277 comm="kde4-config" name="config" dev=sda6 ino=9779 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_usr_t:s0 tclass=dir

In the current policy, it seems, the following dontaudit rules exists: "allow mozilla_plugin_t config_usr_t:dir { getattr search };"

I don't know if this AVC is relevant?

Martin Kho

Comment 2 Daniel Walsh 2011-08-24 02:20:02 UTC
You can turn the transition off 

setsebool -P unconfined_mozilla_plugin_transition 0

And then restart firefox.

I will add the reading of the config_usr_t.  I am not so sure about adding read write of the dri_device_t.  

You could build a custom policy of your own to allow this.

grep mozilla_plugin_t /var/log/audit/audit.log | audit2allow -M mymozillaplugin
semodule -i mymozillaplugin.pp

Comment 3 Martin Kho 2011-08-24 10:07:32 UTC
Hi Daniel,

Turning the transition off didn't help. I got the socket[1] issue back. Next I created a custom policy. That worked, of course :-) Then I disabled the following allow rule in the .te file:

# allow mozilla_plugin_t dri_device_t:chr_file { read write }

rebuild the policy manually and reloaded it into the kernel.

Totem-mozplugin worked as expected. So read write of the dri_device_t seems to be unnecessary.

For your reference, I' ll upload the .te file.

Martin Kho

[1] https://bugzilla.redhat.com/show_bug.cgi?id=729707

Comment 4 Martin Kho 2011-08-24 10:08:15 UTC
Created attachment 519599 [details]
mymozillaplugin module

Comment 5 Martin Kho 2011-11-21 21:11:02 UTC
Hi,

I'm running F16 now and haven't seen this issue. So this report can be closed, I suppose,


Thanks,

Martin Kho

Comment 6 Martin Kho 2011-11-21 21:11:48 UTC
Hi,

Final I mean :-)


Martin Kho


Note You need to log in before you can comment on or make changes to this bug.