Bug 799584 - SELinux is preventing /usr/lib64/firefox/firefox from using the 'ptrace' accesses on a process.
SELinux is preventing /usr/lib64/firefox/firefox from using the 'ptrace' acce...
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
: Reopened
: 834768 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-03-03 03:36 EST by Julian Sikorski
Modified: 2013-08-01 13:02 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-01 13:02:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Julian Sikorski 2012-03-03 03:36:29 EST
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc5.git3.1.fc17.x86_64
reason:         SELinux is preventing /usr/lib64/firefox/firefox from using the 'ptrace' accesses on a process.
time:           sob, 3 mar 2012, 09:35:44

:SELinux is preventing /usr/lib64/firefox/firefox from using the 'ptrace' accesses on a process.
:*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************
:If aby deny_ptrace
:Then należy powiadomić o tym SELinuksa włączając zmienną logiczną "deny_ptrace".
:setsebool -P deny_ptrace 0
:*****  Plugin catchall (11.6 confidence) suggests  ***************************
:If jeśli firefox powinno mieć domyślnie ptrace dostęp do procesów z etykietami mozilla_plugin_t.
:Then proszę to zgłosić jako błąd.
:Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
:można tymczasowo zezwolić na ten dostęp wykonując polecenia:
:# grep firefox /var/log/audit/audit.log | audit2allow -M mojapolityka
:# semodule -i mojapolityka.pp
:Additional Information:
:Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
:                              023
:Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Objects                 [ process ]
:Source                        firefox
:Source Path                   /usr/lib64/firefox/firefox
:Port                          <Nieznane>
:Host                          (removed)
:Source RPM Packages           firefox-10.0.1-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-95.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-0.rc5.git3.1.fc17.x86_64 #1
:                              SMP Wed Feb 29 21:22:11 UTC 2012 x86_64 x86_64
:Alert Count                   10
:First Seen                    sob, 3 mar 2012, 09:31:48
:Last Seen                     sob, 3 mar 2012, 09:33:05
:Local ID                      58e7cc30-5260-4a9c-a2e7-eb37d9eea711
:Raw Audit Messages
:type=AVC msg=audit(1330763585.690:262): avc:  denied  { ptrace } for  pid=6114 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
:type=SYSCALL msg=audit(1330763585.690:262): arch=x86_64 syscall=ptrace success=no exit=EACCES a0=10 a1=188f a2=0 a3=0 items=0 ppid=1 pid=6114 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=24 comm=firefox exe=/usr/lib64/firefox/firefox subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
:Hash: firefox,unconfined_t,mozilla_plugin_t,process,ptrace
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Julian Sikorski 2012-03-03 03:38:50 EST
I am not sure this is clear from the bug description, but it renders gecko-mediaplayer (in RPM Fusion) completely unusable. It shows the firefox plugin error window every time.
Comment 2 Miroslav Grepl 2012-03-05 04:20:04 EST
Yes, we deny this access by default.


You will need to do what setroubleshoot suggest in this case.

:If aby deny_ptrace
:Then należy powiadomić o tym SELinuksa włączając zmienną logiczną
:setsebool -P deny_ptrace 0
Comment 3 Julian Sikorski 2012-03-05 04:47:00 EST
Hmm, can't we grant exceptions so that packages from repositories work as expected (I am the gecko-mediaplayer maintainer)? Or is it wrong that gecko-mediaplayer requires such access?
Comment 4 Julian Sikorski 2012-03-05 04:48:11 EST
As a side note, what setroubleshoot says is hardly Polish - actually I am having hard time understanding it and I am a native speaker ;)
Comment 5 Julian Sikorski 2012-03-17 04:06:00 EDT
I am sorry for re-opening this, but I would like a more detailed explanation. To me it seems wrong that a firefox plugin does not work by default and requires SELinux tweaks.
Comment 6 Daniel Walsh 2012-03-17 07:05:50 EDT
Well we are hoping to get a fix to the kernel to allow parent processes to ptrace their children, but even with that this seems like a strange behaviour.  Why is firefox examining the memory of the plugin?
Comment 7 Julian Sikorski 2012-03-17 07:08:46 EDT
Well, I have no idea frankly speaking. Kevin (the plugin author) suspected the sandboxing.
Comment 8 Daniel Walsh 2012-03-19 11:23:23 EDT
Yes I believe this is related to the way the chrome process figures out information running within the sandbox.  I remember hearing how convoluted the handling of the chrome sandbox was, and I believe there was something about figuring out the PID, which might be causing this problem.
Comment 9 Daniel Walsh 2012-03-19 11:24:53 EDT
Oops this is firefox, but chrome is having a similar problem.
Comment 10 Sergio 2012-03-30 19:41:46 EDT
It's the same for the Adobe Flash plugin. Selinux makes it not work by default:

SELinux is preventing firefox from using the ptrace access on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow sysadm to debug or ptrace all processes.
Then you must tell SELinux about this by enabling the 'deny_ptrace'boolean.
setsebool -P deny_ptrace 0

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that firefox should be allowed ptrace access on processes labeled mozilla_plugin_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep firefox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
Target Objects                 [ process ]
Source                        firefox
Source Path                   firefox
Port                          <Unknown>
Host                          ***
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-106.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***
Platform                      Linux athlon1700.casa 3.3.0-8.fc17.i686 #1 SMP Thu
                              Mar 29 18:34:49 UTC 2012 i686 i686
Alert Count                   11
First Seen                    Fri 30 Mar 2012 08:34:14 PM BRT
Last Seen                     Fri 30 Mar 2012 08:35:46 PM BRT
Local ID                      54e435d9-5cc3-4335-8c7e-6919fcce7a5b

Raw Audit Messages
type=AVC msg=audit(1333150546.406:319): avc:  denied  { ptrace } for  pid=2341 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process

Hash: firefox,unconfined_t,mozilla_plugin_t,process,ptrace

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied

audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 11 Sergio 2012-03-30 20:17:52 EDT
setsebool -P deny_ptrace 0
didn't work (never completes the operation) but I temporarily disabled it without the -P option. That makes selinux not complain anymore but Flash still doesn't work in Firefox (Chrome's own Flash works but it never gave trouble with selinux so I'm guessing that it may be selinux that's preventing Flash to work properly in Firefox).
Comment 12 Sergio 2012-03-30 20:24:36 EDT
Sorry to spam this but I disabled selinux with 'setenforce 0' and Flash still doesn't work so it may be something else the issue.
Comment 13 Miroslav Grepl 2012-06-25 05:03:59 EDT
*** Bug 834768 has been marked as a duplicate of this bug. ***
Comment 14 Justin M. Forbes 2012-12-07 11:09:57 EST
Is this still an issue with 3.6.9 kernels?
Comment 15 Fedora End Of Life 2013-07-04 01:48:31 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 16 Fedora End Of Life 2013-08-01 13:02:57 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.