On 05/09/2016 12:19 PM, CS DBA wrote:
Hi All; I'm running Fedora 23 KDE Spin, After a recent firefox update (I'm now at Firefox 46.0.1) I've been getting these SELINUX alerts: The source process: 57656220436F6E74656E74 Attempted this access: create On this rawip_socket: The alert gives me 2 choices: 1) If I want to use the plugin package: you must turn off SELinux controls on the Firefox plugins. # setsebool -P unconfined_mozilla_plugin_transition 0 2) If I believe that 57656220436F6E74656E74 should be allowed to create access on the Unknown rawip_socket by default: You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 57656220436F6E74656E74 --raw | audit2allow -M mypol # semodule -i mypol.pp If I click on "Plugin Details" I get this: SELinux is preventing 57656220436F6E74656E74 from create access on the rawip_socket Unknown. Plugin: catchall you want to allow 57656220436F6E74656E74 to have create access on the Unknown rawip_socketIf you believe that 57656220436F6E74656E74 should be allowed create access on the Unknown rawip_socket by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 57656220436F6E74656E74 --raw | audit2allow -M mypol # semodule -i mypol.pp Thoughts? Is this a bug? Should I run the setsebool command to allow access?
Smells fishy. I can't see an Internet website having any legitimate need to open a raw IP socket and I really don't see Firefox needing to do such a thing for normal operations. A web interface to an internal process, perhaps, but not a website. BTW, the digits given, if used as a hex representation of a string, equate to "Web content". Hmmmmmmmmm......... I sure as heck wouldn't enable the boolean or add a policy. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - I haven't lost my mind. It's backed up on tape somewhere, but - - probably not recoverable. - ---------------------------------------------------------------------- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: http://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
