Hide Forgot
Description of problem: When I try to play a video on youtube crashes firefox How reproducible: Install flash plugin 64 bits and play a video with firefox Steps to Reproduce: 1. First i install flash plugin 64bits, get here: http://download.macromedia.com/pub/labs/flashplatformruntimes/flashplayer11/flashplayer11_rc1_install_lin_32_090611.tar.gz 2. I just move the file "libflashplayer.so" to /usr/lib64/mozilla/plugins 3.Open the firefox and play a video on youtube log : SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from execute access on the arquivo /usr/lib64/mozilla/plugins/libflashplayer.so. ***** Plugin restorecon (confiança 99.5 ) sugere *************************** Seyou want to fix the label. /usr/lib64/mozilla/plugins/libflashplayer.so default label should be lib_t. Entãoyou can run restorecon. Faça # /sbin/restorecon -v /usr/lib64/mozilla/plugins/libflashplayer.so ***** Plugin catchall (confiança 1.49 ) sugere ***************************** Seyou believe that plugin-container should be allowed execute access on the libflashplayer.so file by default. Entãoyou should report this as a bug. You can generate a local policy module to allow this access. Faça allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Contexto de origem unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Contexto de destino unconfined_u:object_r:user_home_t:s0 Objetos de destino /usr/lib64/mozilla/plugins/libflashplayer.so [ file ] Origem plugin-containe Caminho da origem /usr/lib64/xulrunner-2/plugin-container Porta <Desconhecido> Máquina shanks Pacotes RPM de origem xulrunner-7.0-1.fc16 Pacotes RPM de destino RPM da política selinux-policy-3.10.0-32.fc16 Selinux habilitado True Tipo de política targeted Modo reforçado Enforcing Nome da máquina shanks Plataforma Linux shanks 3.1.0-0.rc8.git0.0.fc16.x86_64 #1 SMP Wed Sep 28 01:31:14 UTC 2011 x86_64 x86_64 Contador de alertas 1 Visto pela primeira vez em Dom 02 Out 2011 13:06:20 BRT Visto pela última vez em Dom 02 Out 2011 13:06:20 BRT ID local ca21a413-b5d9-42d5-adb4-e50acdd023b3 Mensagens de auditoria não processadas type=AVC msg=audit(1317571580.912:165): avc: denied { execute } for pid=5487 comm="plugin-containe" path="/usr/lib64/mozilla/plugins/libflashplayer.so" dev=sda1 ino=164585 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1317571580.912:165): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=15055a8 a2=5 a3=802 items=0 ppid=4736 pid=5487 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=6 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: plugin-containe,mozilla_plugin_t,user_home_t,file,execute audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_t:file execute; audit2allow -R #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_t:file execute; Additional info: To solve the problem I just ran the following command as root # /sbin/restorecon -v /usr/lib64/mozilla/plugins/libflashplayer.so I believe that users will bother to run this command after installing the final version, so I'm reporting
The issue is that you have moved the lib from your home directory to the mozilla plugin directory. If you would have copied the file instead of move it this issue would not have happened. But i agree. Users that stick to the default SElinux user mapping in a default installation are usually not familiar with SELinux and probably think this is some kind of bug. Therefore we should not run anything confined for these users, as that will confront them with issues like the issue you report above. Fedora should set "unconfined_mozilla_plugin_transition" to off by default, and maybe she will by the time Fedora 16 goes stable. Currently it is beta. The matter is pretty complicated. Fedora has a "unconfined" SELinux environment and it is currently the default SELinux environment for users. This environment was as far as i know designed so that (specified) users could be exempted from SELinux restriction/protection. This unconfined SELinux environment was designed i think in Fedora 3, because when SELinux was introduced in Fedora 2 (i believe), there were only protected/restricted SELinux environments. Users were not happy by these restrictions. (i guess also because then it had rought edges) The problem in my view is that the unconfined SELinux environment that was designed was implemented as a permanent solution to the problem described above, rather that a temporary solution, until the protected SELinux environments were better polished. This caused problems later, as the man focus was on the unconfined SELinux environment, and by the time the restricted SELinux user environments were merged (back) in (In fedora 8) Almost no one bothered to use it, and Fedora did not force/stimulate it because they left the unconfined SELinux user environment to be the default. And in the mean time the model was broken in the sense that Fedora started using SELinux to protect the unprotected (or confine the unconfined) by using SELinux to implement memory protection by default and other protection, And so over time the unconfined domain became more confined and the very issues that caused Fedora to design the unconfined domain in the first place, resurfaced or were reintroduced. Nowadays, it seems that Fedora is haunted by these earlier decisions. when policy for protecting the user space is introduced, Fedora sometimes enables it for the default unconfined users during the beta and alpha stage to expose it to a greater audience for optimal testing. And so we encounter reports like yours, which make great sense to me. In the meantime the confined/restricted SELinux user environments are placed in second place and have lower priority. So, its all a bit messed up in my view. The above might not make sense to you, and others might not agree on my take on history about this matter but this is how i experience it.
tl;dr Thanks for the report but this is not a bug. You have a good point but Fedora 16 is in beta stage (it is not ready for general consumption yet). By the time Fedora 16 is final this should no longer happen. If it does, then please re-open this report.