policy addition for mozilla
Richard Hally
rhally at mindspring.com
Fri Jul 9 23:56:50 UTC 2004
Colin Walters wrote:
> On Fri, 2004-07-09 at 01:13 -0400, Richard Hally wrote:
>
>>Attached (and below) is a diff of a one line addition for
>>mozilla_macros.te from the the selinux-policy-strict-sources-1.14.1-5.
>>
>>audit2allow generated the following from the avc denied messages I
>>received when trying to run Mozilla: allow staff_mozilla_t xdm_tmp_t:dir
>>{ search };
>
>
> Just running denials through audit2allow is generally the wrong thing.
> Often the denials are symptomatic of deeper problems like mislabeled
> files, or deep design issues (e.g. GConf), or simply bugs in the
> software (like mdadm opening files in /proc read/write), or
> configuration problems (running Postfix chrooted).
>
> In this particular case, having Mozilla able to access the XDM
> temporarily files is almost certainly the wrong solution. In order to
> diagnose it we need to know what file it was accessing (information
> contained in the raw dmesg output, but not in audit2allow) and what you
> were doing at the time.
Here are the avc denied messages from trying to start mozilla web
browser. When I say trying to start I mean clicking on the mozilla icon
on the panel and watching the hour-glass cursor spin for a while and
then it goes away. "nothing happens". BTW, the load_policy messages are
because I had to "enableaudit" when building the policy to get the avc
messages. This behavior started a couple of weeks ago. Previously
mozilla had worked in enforcing mode.
Also further below are a couple of avc denied messages from booting that
may be related to the problem as they have to do with xdm. They refer to
a different file (.ICE-unix vice .X11-unix) but may be related. There
was a bug having to do with this xdm probelm (bug 127099.)
Jul 8 23:51:35 new2 kernel: audit(1089345095.411:0): avc: granted {
load_policy } for pid=4238 exe=/usr/sbin/load_policy
scontext=root:sysadm_r:load_policy_t
tcontext=system_u:object_r:security_t tclass=security
Jul 8 23:51:36 new2 kernel: security: 6 users, 7 roles, 1273 types, 1
bools
Jul 8 23:51:36 new2 kernel: security: 51 classes, 345889 rules
Jul 8 23:52:07 new2 kernel: audit(1089345127.662:0): avc: granted {
load_policy } for pid=4296 exe=/usr/sbin/load_policy
scontext=root:sysadm_r:load_policy_t
tcontext=system_u:object_r:security_t tclass=security
Jul 8 23:52:07 new2 kernel: security: 6 users, 7 roles, 1273 types, 1
bools
Jul 8 23:52:07 new2 kernel: security: 51 classes, 304966 rules
Jul 8 23:52:15 new2 kernel: audit(1089345135.764:0): avc: denied {
search } for pid=4315 exe=/usr/lib/mozilla-1.7/mozilla-xremote-client
name=.X11-unix dev=hda2 ino=1840558
scontext=richard:staff_r:staff_mozilla_t
tcontext=system_u:object_r:xdm_tmp_t tclass=dir
Jul 8 23:52:15 new2 kernel: audit(1089345135.772:0): avc: denied {
search } for pid=4301 exe=/usr/lib/mozilla-1.7/mozilla-xremote-client
name=.X11-unix dev=hda2 ino=1840558
scontext=richard:staff_r:staff_mozilla_t
tcontext=system_u:object_r:xdm_tmp_t tclass=dir
from booting:
Jul 8 14:45:44 new2 kernel: audit(1089312344.553:0): avc: denied {
setattr }
for pid=2513 exe=/usr/bin/gdm-binary name=.ICE-unix dev=hda2
ino=1840546 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
Jul 8 14:45:44 new2 kernel: audit(1089312344.554:0): avc: denied {
setattr }
for pid=2513 exe=/usr/bin/gdm-binary name=.ICE-unix dev=hda2
ino=1840546 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
HTH
Richard Hally
More information about the fedora-selinux-list
mailing list