Description of problem: I pulled up Gmail in Firefox and this alert popped up while it was loading. SELinux is preventing plugin-containe from 'execmod' accesses on the file /opt/google/talkplugin/libnpgoogletalk.so. ***** Plugin mozplugger (99.1 confidence) suggests ************************* If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests *************************** If you believe that plugin-containe should be allowed execmod access on the libnpgoogletalk.so file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /opt/google/talkplugin/libnpgoogletalk.so [ file ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages google-talkplugin-3.17.0.0-1.i386 Policy RPM selinux-policy-3.11.1-91.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.8-202.fc18.i686 #1 SMP Wed Apr 17 23:46:26 UTC 2013 i686 i686 Alert Count 3 First Seen 2013-04-23 23:30:58 CDT Last Seen 2013-04-23 23:31:48 CDT Local ID 0166c38d-c9e0-4190-b000-bfcea15b9526 Raw Audit Messages type=AVC msg=audit(1366777908.11:338): avc: denied { execmod } for pid=4310 comm="plugin-containe" path="/opt/google/talkplugin/libnpgoogletalk.so" dev="sda4" ino=271564 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file Hash: plugin-containe,mozilla_plugin_t,bin_t,file,execmod audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t bin_t:file execmod; audit2allow -R require { type bin_t; type mozilla_plugin_t; class file execmod; } #============= mozilla_plugin_t ============== allow mozilla_plugin_t bin_t:file execmod; Additional info: hashmarkername: setroubleshoot kernel: 3.8.8-202.fc18.i686 type: libreport
I forgot to add that everything was working fine together until recently, possibly after updates in the last week or two.
Fixed in F19 and back ported to F18.
I apologize. Wrong bug.
# chcon -t textrel_shlib_t /opt/google/talkplugin/libnpgoogletalk.so will fix for now.
This is a bug in the Google talk plugin on i686 (x86_64 is not affected). The plugin is being built without basic security compiler flags. I have reached out to a person on the Google Chrome security team and he has indicated that he opened bugs internally to fix their non-Chrome products. This is not an SELinux problem. This is SELinux showing the security weakness of 3rd party software. We apologize for this inconvenience. If you are willing to accept the weaker security protections necessary to allow this plugin to run, please follow the instructions in comment #4.
Since this is still happening with the next version of this plugin I've reported this to Google in the following post: http://productforums.google.com/d/topic/chat/tMXq0oshZ6w/discussion
*** Bug 967650 has been marked as a duplicate of this bug. ***
The code: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Worked and I use the code: # setsebool unconfined_mozilla_plugin_transition 0 As root and all were fine until I restarted the computer and have to do it again. Is there a more perminant solution to this bug?
(In reply to Eric Paris from comment #5) > This is a bug in the Google talk plugin on i686 (x86_64 is not affected). > The plugin is being built without basic security compiler flags. I have > reached out to a person on the Google Chrome security team and he has > indicated that he opened bugs internally to fix their non-Chrome products. > > This is not an SELinux problem. This is SELinux showing the security > weakness of 3rd party software. We apologize for this inconvenience. If > you are willing to accept the weaker security protections necessary to allow > this plugin to run, please follow the instructions in comment #4. Is that a permanent solution? Before I open firefox I have to enter a code for gtalk to work.
What does # matchpathcon /opt/google/talkplugin/libnpgoogletalk.so
(In reply to Miroslav Grepl from comment #10) > What does > > # matchpathcon /opt/google/talkplugin/libnpgoogletalk.so it didn't solve the problem. Whenever I restart I have to enter a temporary code for gmail to work. When I enter "match" it didn't even give me terporary relief from this bug. I appreciate your time for helping me with this situation.
# setsebool -P unconfined_mozilla_plugin_transition 0 Will make it permanant.
(In reply to Daniel Walsh from comment #12) > # setsebool -P unconfined_mozilla_plugin_transition 0 > > Will make it permanant. Thanks that worked.