On Tue, Aug 18, 2009 at 11:54:24AM +0200, Christoph A. wrote:
> On 18.08.2009 11:11, Dominick Grift wrote:
> >> type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for
> >> pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0
> >> tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process
> >
> > I have a feeling that this is due to a plugin that i not run in the nsplugin_t domain, but i might be wrong.
> > Can you confirm or deny that?
>
> flash-plugin is not (yet) installed for xguest
>
> other installed plugins:
>
> ls /usr/lib/mozilla/plugins
> librhythmbox-itms-detection-plugin.so libtotem-cone-plugin.so
> libtotem-gmp-plugin.so libtotem-mully-plugin.so
> libtotem-narrowspace-plugin.so
>
>
> > Afaik mozilla does not require { execmem }, but many of those crappy plugins do ( for example flash-plugin ).
> > I certain configurations those plugins do not get run in the designated nsplugin_t domain.
> >
> > In that case firefox runs them.
> >
> > I am not sure whether mozilla_t domain transitions to nsplugin_t at all.
> >
> > In practice i believe it does not matter all that much what needs it. You can allow or (silently) deny it.
>
> Silent deny would mean don't use firefox (because it crashes
> immediately after I start it, if execmem is not allowed).
>
> Does this imply that it has something to do with firefox rather than a
> specific plugin, or are all plugins loaded at startup?
Good question. I think it implies it has something to do with firefox.
i guess you will have to allow it.
>
>
> > You can use audit2allow to create an add-on to the mozilla_t domain.
> I prefer to get it fixed upstream (it it is a bug) ;)
>
> thanks,
> Christoph
>
>
>
Attachment:
pgpBnObrL0cOh.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
