libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.2-1.fc17.i686.PAE time: Пт. 20 апр. 2012 08:39:13 description: :SELinux is preventing /usr/lib/xulrunner-2/plugin-container from 'execute' accesses on the file /opt/Citrix/ICAClient/wfica. : :***** Plugin catchall_labels (83.8 confidence) suggests ******************** : :If you want to allow plugin-container to have execute access on the wfica file :Then you need to change the label on /opt/Citrix/ICAClient/wfica :Do :# semanage fcontext -a -t FILE_TYPE '/opt/Citrix/ICAClient/wfica' :where FILE_TYPE is one of the following: mozilla_exec_t, mozilla_home_t, lpr_exec_t, abrt_helper_exec_t, mozilla_plugin_exec_t, textrel_shlib_t, mplayer_exec_t, mozilla_plugin_tmp_t, bin_t, shell_exec_t, pulseaudio_exec_t, lib_t, ld_so_t. :Then execute: :restorecon -v '/opt/Citrix/ICAClient/wfica' : : :***** Plugin catchall (17.1 confidence) suggests *************************** : :If you believe that plugin-container should be allowed execute access on the wfica file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Context system_u:object_r:usr_t:s0 :Target Objects /opt/Citrix/ICAClient/wfica [ file ] :Source plugin-containe :Source Path /usr/lib/xulrunner-2/plugin-container :Port <Unknown> :Host (removed) :Source RPM Packages xulrunner-11.0-3.fc17.i686 :Target RPM Packages ICAClient-12.0.0-0.i386 :Policy RPM selinux-policy-3.10.0-116.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.2-1.fc17.i686.PAE #1 SMP Fri Apr 13 : 20:44:48 UTC 2012 i686 i686 :Alert Count 1 :First Seen Пт. 20 апр. 2012 08:38:18 :Last Seen Пт. 20 апр. 2012 08:38:18 :Local ID 2810905b-976b-428c-b798-f2a85c2c8a03 : :Raw Audit Messages :type=AVC msg=audit(1334889498.255:104): avc: denied { execute } for pid=9638 comm="plugin-containe" name="wfica" dev="sda2" ino=285652 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file : : :type=SYSCALL msg=audit(1334889498.255:104): arch=i386 syscall=access success=no exit=EACCES a0=b5b79fea a1=1 a2=b5b79118 a3=b5b78701 items=0 ppid=8632 pid=9638 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=5 comm=plugin-containe exe=/usr/lib/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) : :Hash: plugin-containe,mozilla_plugin_t,usr_t,file,execute : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Try to change labeling to bin_t # chcon -t bin_t /opt/Citrix/ICAClient/wfica If this works, just use the semanage command how sealert tells you.
I just checked in code to allow mozilla_plugin to execute usr_t files, since we will not know where layerd products put executables.