On Tue, Aug 18, 2009 at 11:54:24AM +0200, Christoph A. wrote: > On 18.08.2009 11:11, Dominick Grift wrote: > >> type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for > >> pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0 > >> tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process > > > > I have a feeling that this is due to a plugin that i not run in the nsplugin_t domain, but i might be wrong. > > Can you confirm or deny that? > > flash-plugin is not (yet) installed for xguest > > other installed plugins: > > ls /usr/lib/mozilla/plugins > librhythmbox-itms-detection-plugin.so libtotem-cone-plugin.so > libtotem-gmp-plugin.so libtotem-mully-plugin.so > libtotem-narrowspace-plugin.so > > > > Afaik mozilla does not require { execmem }, but many of those crappy plugins do ( for example flash-plugin ). > > I certain configurations those plugins do not get run in the designated nsplugin_t domain. > > > > In that case firefox runs them. > > > > I am not sure whether mozilla_t domain transitions to nsplugin_t at all. > > > > In practice i believe it does not matter all that much what needs it. You can allow or (silently) deny it. > > Silent deny would mean don't use firefox (because it crashes > immediately after I start it, if execmem is not allowed). > > Does this imply that it has something to do with firefox rather than a > specific plugin, or are all plugins loaded at startup? Good question. I think it implies it has something to do with firefox. i guess you will have to allow it. > > > > You can use audit2allow to create an add-on to the mozilla_t domain. > I prefer to get it fixed upstream (it it is a bug) ;) > > thanks, > Christoph > > >
Attachment:
pgpBnObrL0cOh.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list