Daniel J Walsh wrote:
If you want to try further experimentation, you can set the boolean
allow_unconfined_nsplugin_transition and run the plugins confined.
First I needed to figure out what tool and how to set the boolean with a
GUI tool. I finally found out SELinux Administration was the GUI to use.
I filtered by nsp and checked the active box. Previously the active box
was not checked.
I hope I did this task right.
Starting Firefox had one error. After going to news.aol.com there were
many errors related to the plugin manager. This error was different than
the bulk of complaints.
SELinux is preventing plugin-config (nsplugin_config_t) "read" to
./nphelix.xpt (usr_t).
Raw Audit Messages :host=HP-JCF7 type=AVC msg=audit(1203040934.973:257):
avc: denied { read } for pid=19723 comm="plugin-config"
name="nphelix.xpt" dev=sda6 ino=618113
scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file host=HP-JCF7
type=SYSCALL msg=audit(1203040934.973:257): arch=40000003 syscall=33
success=no exit=-13 a0=80565a0 a1=4 a2=80565a0 a3=bfb70f58 items=0
ppid=19721 pid=19723 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="plugin-config"
exe="/usr/lib/nspluginwrapper/plugin-config"
subj=unconfined_u:unconfined_r:nsplugin_config_t:s0 key=(null)
Other summaries were:
SELinux is preventing ...
npviewer.bin (nsplugin_t) "execmem" to <Unknown> (nsplugin_t).
npviewer.bin (nsplugin_t) "execstack" to <Unknown> (nsplugin_t).
npviewer.bin (nsplugin_t) "read write" to socket (unconfined_t).
*plugin-config (nsplugin_config_t) "read" to ./nphelix.xpt (usr_t).*
plugin-config (nsplugin_config_t) "read" to ./nphelix.xpt (usr_t).
plugin-config (nsplugin_config_t) "read" to ./nphelix.xpt (usr_t).
I'll file a bug report if more details are needed.
Jim
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
