On 23 June 2011 13:22, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/23/2011 06:29 AM, GSO wrote:
This thread went offline, however to bring things back online, it appears at least the binary download (running on SL6) of Firefox 5 just released does not work in the sandbox either. The SELinux audit messages are:
Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in class dir not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class dir not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in class lnk_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission open in class lnk_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class lnk_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in class chr_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in class blk_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class blk_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in class sock_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class sock_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in class fifo_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class fifo_file not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: Permission syslog in class capability2 not defined in policy. Jun 22 21:40:22 localhost kernel: SELinux: the above unknown classes and permissions will be allowed Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration
The sandbox window starts up but crashes before any sign of FF materialises, works fine in permissive mode or unsandboxed otherwise. I've put the FF binaries in /opt.
On 19 June 2011 17:53, Dominick Grift <domg472@gmail.com mailto:domg472@gmail.com> wrote:
On Sun, 2011-06-19 at 13:57 +0100, GSO wrote: > The default build using the google repos results in chromium grinding to a > halt with a black window when run in a sandbox. Is it technically possible > to run chrome in a sandbox, would building from source fix this at all? I do not think it will work since both sandbox an chrome use
namespace
and chrome cant run if sandbox already runs in a namespace (or
something
along those lines is my understanding if this issue) > -- > selinux mailing list > selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I looked for firefox5 x86_64 and did not quickly find it, if you know where there is a link, I will look into what is going on, otherwise I will wait until Fedora Packages it. It does seem strange that you are getting those
Permission audit_access in class sock_file not defined in policy.
errors, What OS are you using? What kernel?
That was Scientific Linux 6, I was also running Tor (through openvpn), so that might have complicated matters. I had also been messing around with Tor to get it to send all net traffic through tor, and the install was tainted at that point (I never was able to get that to work, similar SELInux audit errors to the above funnily enough). I had also built and installed the latest kernel as I have to do to get my webcams working (2 cams I have do not work with the default RHEL6 kernel).
However I've just installed the Fedora security spin, should be an untainted install (I am 'under attack' here!), Firefox 5 likewise crashes, though with no SELinux audit messages in /var/log/messages as far as I can see (just a few 'received policyload notice' lines).
Likewise chromium grinds to a halt at the usual black background, no SELinux audit messages again, not even the 'policyload' notice ones (assuming I've got it set up properly to report them).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/23/2011 06:25 PM, GSO wrote:
On 23 June 2011 13:22, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/23/2011 06:29 AM, GSO wrote: > This thread went offline, however to bring things back online, it > appears at least the binary download (running on SL6) of Firefox 5 just > released does not work in the sandbox either. The SELinux audit > messages are: > > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > class dir not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class > dir not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > class lnk_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission open in class > lnk_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class > lnk_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > class chr_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > class blk_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class > blk_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > class sock_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class > sock_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > class fifo_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class > fifo_file not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: Permission syslog in class > capability2 not defined in policy. > Jun 22 21:40:22 localhost kernel: SELinux: the above unknown classes and > permissions will be allowed > Jun 22 21:40:24 localhost dbus: avc: received policyload notice (seqno=5) > Jun 22 21:40:24 localhost dbus: avc: received policyload notice (seqno=5) > Jun 22 21:40:24 localhost dbus: avc: received policyload notice (seqno=5) > Jun 22 21:40:24 localhost dbus: avc: received policyload notice (seqno=5) > Jun 22 21:40:24 localhost dbus: avc: received policyload notice (seqno=5) > Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration > > The sandbox window starts up but crashes before any sign of FF > materialises, works fine in permissive mode or unsandboxed otherwise. > I've put the FF binaries in /opt. > > On 19 June 2011 17:53, Dominick Grift <domg472@gmail.com <mailto:domg472@gmail.com> > <mailto:domg472@gmail.com <mailto:domg472@gmail.com>>> wrote: > > > > On Sun, 2011-06-19 at 13:57 +0100, GSO wrote: > > The default build using the google repos results in chromium > grinding to a > > halt with a black window when run in a sandbox. Is it technically > possible > > to run chrome in a sandbox, would building from source fix this at > all? > > I do not think it will work since both sandbox an chrome use namespace > and chrome cant run if sandbox already runs in a namespace (or something > along those lines is my understanding if this issue) > > > -- > > selinux mailing list > > selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > <mailto:selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>> > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > -- > selinux mailing list > selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/selinux I looked for firefox5 x86_64 and did not quickly find it, if you know where there is a link, I will look into what is going on, otherwise I will wait until Fedora Packages it. It does seem strange that you are getting those Permission audit_access in class sock_file not defined in policy. errors, What OS are you using? What kernel?
That was Scientific Linux 6, I was also running Tor (through openvpn), so that might have complicated matters. I had also been messing around with Tor to get it to send all net traffic through tor, and the install was tainted at that point (I never was able to get that to work, similar SELInux audit errors to the above funnily enough). I had also built and installed the latest kernel as I have to do to get my webcams working (2 cams I have do not work with the default RHEL6 kernel).
However I've just installed the Fedora security spin, should be an untainted install (I am 'under attack' here!), Firefox 5 likewise crashes, though with no SELinux audit messages in /var/log/messages as far as I can see (just a few 'received policyload notice' lines).
Likewise chromium grinds to a halt at the usual black background, no SELinux audit messages again, not even the 'policyload' notice ones (assuming I've got it set up properly to report them).
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well I know Chrome does not run under the sandbox. On firefox5 try to turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent # semodule -B
On 24 June 2011 13:56, Daniel J Walsh dwalsh@redhat.com wrote:
.... Well I know Chrome does not run under the sandbox. On firefox5 try to turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent # semodule -B
time->Fri Jun 24 19:03:01 2011 type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process ---- time->Fri Jun 24 19:04:59 2011 type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr" exe="/usr/bin/Xephyr" subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process ---- time->Fri Jun 24 19:05:00 2011 type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process ---- time->Fri Jun 24 19:04:59 2011 type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="sandboxX.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file ---- time->Fri Jun 24 19:05:00 2011 type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file ---- time->Fri Jun 24 19:05:00 2011 type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/24/2011 02:07 PM, GSO wrote:
On 24 June 2011 13:56, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
.... Well I know Chrome does not run under the sandbox. On firefox5 try to turn off dontaudit rules and see if it generates any AVC messages # semodule -DB > sandbox -X -t sandbox_web_t -W metacity firefox5 # ausearch -m avc -ts recent # semodule -B
time->Fri Jun 24 19:03:01 2011 type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
time->Fri Jun 24 19:04:59 2011 type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr" exe="/usr/bin/Xephyr" subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
time->Fri Jun 24 19:05:00 2011 type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
time->Fri Jun 24 19:04:59 2011 type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="sandboxX.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
time->Fri Jun 24 19:05:00 2011 type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
time->Fri Jun 24 19:05:00 2011 type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null) type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
chcon -t bin_t firefox
Is what it is complaining about.
On 24 June 2011 20:16, Daniel J Walsh dwalsh@redhat.com wrote:
...
chcon -t bin_t firefox
Is what it is complaining about.
OK Firefox 5 is now available as a fedora update, no issue at this point :)
selinux@lists.fedoraproject.org