Re: Firefox & Sandbox - F14

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/01/2011 08:22 PM, Jorge Fábregas wrote:
> sandbox -X -t sandbox_web_t firefox
> 
> but it quits right away.  A message on syslog from the kernel facility
> shows:

Ok, now that I got the SELinux Alert Browser, here's the info:

SELinux is preventing /bin/bash from execute_no_trans access on the file
/usr/lib/xulrunner-2/xulrunner.

*****  Plugin catchall (100. confidence) suggests
***************************

If you believe that bash should be allowed execute_no_trans access on
the xulrunner file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xulrunner2 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context
unconfined_u:unconfined_r:sandbox_web_client_t:s0:
                              c384,c590
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/xulrunner-2/xulrunner [ file ]
Source                        xulrunner2
Source Path                   /bin/bash
Port                          <Unknown>
Host                          biodora.local
Source RPM Packages           bash-4.1.7-3.fc14
Target RPM Packages           xulrunner2-2.0.1-1.fc14.remi
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     biodora.local
Platform                      Linux biodora.local 2.6.35.13-91.fc14.i686
#1 SMP
                              Tue May 3 13:36:36 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Wed 01 Jun 2011 08:25:41 PM AST
Last Seen                     Wed 01 Jun 2011 08:25:41 PM AST
Local ID                      37b97c4a-44be-4931-a343-7f656f2ad5f1

Raw Audit Messages
type=AVC msg=audit(1306974341.382:23913): avc:  denied  {
execute_no_trans } for  pid=4201 comm="xulrunner2"
path="/usr/lib/xulrunner-2/xulrunner" dev=sda1 ino=393246
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c384,c590
tcontext=system_u:object_r:lib_t:s0 tclass=file


I guess I'm out of warranty here :>)   I forgot I wasn't running the
stock Firefox. I'm running the one from the REMI repo (along with
xulrunner) in order to run the latest Firefox.  I'll create the local
policy then and would not submit any bug as I  think this doesn't happen
with the regular packages.

Cheers,
Jorge
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux