On Tue, Aug 18, 2009 at 10:22:26AM +0200, Christoph A. wrote:
> Hi,
>
> I wanted to try the xguest user, but firefox always crashed on startup.
>
> This AVC appears many times in the logs:
>
> type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for
> pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0
> tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process
I have a feeling that this is due to a plugin that i not run in the nsplugin_t domain, but i might be wrong.
Can you confirm or deny that?
Afaik mozilla does not require { execmem }, but many of those crappy plugins do ( for example flash-plugin ).
I certain configurations those plugins do not get run in the designated nsplugin_t domain.
In that case firefox runs them.
I am not sure whether mozilla_t domain transitions to nsplugin_t at all.
In practice i believe it does not matter all that much what needs it. You can allow or (silently) deny it.
You can use audit2allow to create an add-on to the mozilla_t domain.
Pipe the particular AVC denial into audit2allow -M mymozilla; semodule -i mymozilla.pp
>
>
> execmem is not allowed:
> getsebool -a|grep execmem
> allow_execmem --> off
>
> Allowing execmem resolves the problem, but is there a better solution
> for this?
>
> Another question:
>
> I would like to make some permanent changes to the xguest account
> (keyboard layout, safe passphrase for wifi access, set keyring pw,
> remove some icons,...)
> How can I as admin do that?
>
> thanks,
> Christoph
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpSonqC5AYMb.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
