Hide Forgot
Description of problem: This alert appears by using gnash-plugin with Firefox-10.0.1 on Fedora-17. htop lists a process very avid of CPU usage (nearly 100%); this process is '/usr/bin/Xorg ... -auth /var/run/gdm/auth-for-gdm...'. Version-Release number of selected component (if applicable): gnash-0.8.10-1.fc17.x86_64 libselinux-2.1.9-9.fc17.x86_64 libselinux-utils-2.1.9-9.fc17.x86_64 gnash-plugin-0.8.10-1.fc17.x86_64 libselinux-python-2.1.9-9.fc17.x86_64 selinux-policy-3.10.0-95.fc17.noarch selinux-policy-targeted-3.10.0-95.fc17.noarch How reproducible: Always with Firefox Setroubleshoot details: SELinux is preventing /usr/bin/gtk-gnash from create access on the directory .gnash. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that gtk-gnash should be allowed create access on the .gnash directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gtk-gnash /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects .gnash [ dir ] Source gtk-gnash Source Path /usr/bin/gtk-gnash Port <Unknown> Host local Source RPM Packages gnash-0.8.10-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-95.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name local Platform Linux local 3.3.0-0.rc4.git1.4.fc17.x86_64 #1 SMP Wed Feb 22 01:14:38 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Sat 03 Mar 2012 07:56:46 PM CET Last Seen Sat 03 Mar 2012 07:56:46 PM CET Local ID 153599be-29e6-4112-80c9-223cccf49171 Raw Audit Messages type=AVC msg=audit(1330801006.293:145): avc: denied { create } for pid=3682 comm="gtk-gnash" name=".gnash" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1330801006.293:145): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=23fbac8 a1=1c0 a2=1 a3=41 items=0 ppid=3680 pid=3682 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=gtk-gnash exe=/usr/bin/gtk-gnash subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: gtk-gnash,mozilla_plugin_t,user_home_dir_t,dir,create audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
Sorry maybe the infos in description are not linked to the SELinux denial. I have updated selinux-policy to 3.10.0-96.fc17; now the problem is most clear to me. SELinux alert says: If you want to fix the label. /home/sagitter/.gnash/SharedObjects/mail.google.com/wakeup.sol default label should be mozilla_home_t. Then you can run restorecon. Do # /sbin/restorecon -v /home/sagitter/.gnash/SharedObjects/mail.google.com/wakeup.sol in fact ls --scontext /home/sagitter/.gnash/*/*/* unconfined_u:object_r:user_home_dir_t:s0 /home/sagitter/.gnash/SharedObjects/mail.google.com/wakeup.sol so /sbin/restorecon -v /home/sagitter/.gnash/SharedObjects/mail.google.com/wakeup.sol should resolve the problem. Is it just a issue of relabel ? Thanks.