Version-Release number of selected component (if applicable): selinux-policy-3.10.0-118.fc17.noarch How reproducible: the first time I tried to open the page on a installed system, but always on fresh install Steps to Reproduce: 1. run firefox 2. open a webpage that needs a plugin to display correctly (http://blog.mozilla.org worked for me) Actual results: avc denial Expected results: no avc denial
This would require us to allow mozilla_plugin_t to create home_cert_t. Is there value in blocking plugins from writing to cert content?
Miroslav can you try this in permissive mode to see what mozilla_plugin_t writes to the ~/.pki directory.
Ok, I see # ls -lZ /home/mgrepl/.pki/nssdb # and the following AVC avc: denined { create } for pid=1737 comm="totem-plugin-vi" name=".pki" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Ok I am going to allow it. Fixed in selinux-policy-3.10.0-121.fc17 Although I am not thrilled with the idea.
Ok. Filip, good catch.
selinux-policy-3.10.0-121.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-121.fc17
Package selinux-policy-3.10.0-121.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-121.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7313/selinux-policy-3.10.0-121.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-121.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.