Red Hat Bugzilla – Bug 799584
SELinux is preventing /usr/lib64/firefox/firefox from using the 'ptrace' accesses on a process.
Last modified: 2013-08-01 13:02:57 EDT
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.0-0.rc5.git3.1.fc17.x86_64 reason: SELinux is preventing /usr/lib64/firefox/firefox from using the 'ptrace' accesses on a process. time: sob, 3 mar 2012, 09:35:44 description: :SELinux is preventing /usr/lib64/firefox/firefox from using the 'ptrace' accesses on a process. : :***** Plugin catchall_boolean (89.3 confidence) suggests ******************* : :If aby deny_ptrace :Then należy powiadomić o tym SELinuksa włączając zmienną logiczną "deny_ptrace". :Do :setsebool -P deny_ptrace 0 : :***** Plugin catchall (11.6 confidence) suggests *************************** : :If jeśli firefox powinno mieć domyślnie ptrace dostęp do procesów z etykietami mozilla_plugin_t. :Then proszę to zgłosić jako błąd. :Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. :Do :można tymczasowo zezwolić na ten dostęp wykonując polecenia: :# grep firefox /var/log/audit/audit.log | audit2allow -M mojapolityka :# semodule -i mojapolityka.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 : 023 :Target Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Objects [ process ] :Source firefox :Source Path /usr/lib64/firefox/firefox :Port <Nieznane> :Host (removed) :Source RPM Packages firefox-10.0.1-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-95.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.0-0.rc5.git3.1.fc17.x86_64 #1 : SMP Wed Feb 29 21:22:11 UTC 2012 x86_64 x86_64 :Alert Count 10 :First Seen sob, 3 mar 2012, 09:31:48 :Last Seen sob, 3 mar 2012, 09:33:05 :Local ID 58e7cc30-5260-4a9c-a2e7-eb37d9eea711 : :Raw Audit Messages :type=AVC msg=audit(1330763585.690:262): avc: denied { ptrace } for pid=6114 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process : : :type=SYSCALL msg=audit(1330763585.690:262): arch=x86_64 syscall=ptrace success=no exit=EACCES a0=10 a1=188f a2=0 a3=0 items=0 ppid=1 pid=6114 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=24 comm=firefox exe=/usr/lib64/firefox/firefox subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) : :Hash: firefox,unconfined_t,mozilla_plugin_t,process,ptrace : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
I am not sure this is clear from the bug description, but it renders gecko-mediaplayer (in RPM Fusion) completely unusable. It shows the firefox plugin error window every time.
Yes, we deny this access by default. http://danwalsh.livejournal.com/49336.html You will need to do what setroubleshoot suggest in this case. :If aby deny_ptrace :Then należy powiadomić o tym SELinuksa włączając zmienną logiczną "deny_ptrace". :Do :setsebool -P deny_ptrace 0
Hmm, can't we grant exceptions so that packages from repositories work as expected (I am the gecko-mediaplayer maintainer)? Or is it wrong that gecko-mediaplayer requires such access?
As a side note, what setroubleshoot says is hardly Polish - actually I am having hard time understanding it and I am a native speaker ;)
I am sorry for re-opening this, but I would like a more detailed explanation. To me it seems wrong that a firefox plugin does not work by default and requires SELinux tweaks.
Well we are hoping to get a fix to the kernel to allow parent processes to ptrace their children, but even with that this seems like a strange behaviour. Why is firefox examining the memory of the plugin?
Well, I have no idea frankly speaking. Kevin (the plugin author) suspected the sandboxing.
Yes I believe this is related to the way the chrome process figures out information running within the sandbox. I remember hearing how convoluted the handling of the chrome sandbox was, and I believe there was something about figuring out the PID, which might be causing this problem.
Oops this is firefox, but chrome is having a similar problem.
It's the same for the Adobe Flash plugin. Selinux makes it not work by default: SELinux is preventing firefox from using the ptrace access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow sysadm to debug or ptrace all processes. Then you must tell SELinux about this by enabling the 'deny_ptrace'boolean. Do setsebool -P deny_ptrace 0 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that firefox should be allowed ptrace access on processes labeled mozilla_plugin_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep firefox /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Objects [ process ] Source firefox Source Path firefox Port <Unknown> Host *** Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-106.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name *** Platform Linux athlon1700.casa 3.3.0-8.fc17.i686 #1 SMP Thu Mar 29 18:34:49 UTC 2012 i686 i686 Alert Count 11 First Seen Fri 30 Mar 2012 08:34:14 PM BRT Last Seen Fri 30 Mar 2012 08:35:46 PM BRT Local ID 54e435d9-5cc3-4335-8c7e-6919fcce7a5b Raw Audit Messages type=AVC msg=audit(1333150546.406:319): avc: denied { ptrace } for pid=2341 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process Hash: firefox,unconfined_t,mozilla_plugin_t,process,ptrace audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
setsebool -P deny_ptrace 0 didn't work (never completes the operation) but I temporarily disabled it without the -P option. That makes selinux not complain anymore but Flash still doesn't work in Firefox (Chrome's own Flash works but it never gave trouble with selinux so I'm guessing that it may be selinux that's preventing Flash to work properly in Firefox).
Sorry to spam this but I disabled selinux with 'setenforce 0' and Flash still doesn't work so it may be something else the issue.
*** Bug 834768 has been marked as a duplicate of this bug. ***
Is this still an issue with 3.6.9 kernels?
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.