--- On Mon, 3/7/11, Adam Williamson awilliam@redhat.com wrote:
From: Adam Williamson awilliam@redhat.com Subject: Re: kernel crash To: "For testers of Fedora development releases" test@lists.fedoraproject.org Date: Monday, March 7, 2011, 6:02 PM On Mon, 2011-03-07 at 17:44 -0800, Antonio Olivares wrote:
This was sent to oops page, but not to fedora
bugzilla. Is that what the reporting tool should do?
Yes. It's also not a crash, but a warning.
Then why the damn thing says that it is a kernel crash? If it is just a warning, then the tool should just report an oops right?
BTW, the following sealert keeps popping up and a bug has already been filed :(
It is sadly becoming annoying :(
SELinux is preventing /usr/lib/xulrunner-2/plugin-container from name_connect access on the tcp_socket port 5050.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that plugin-container should be allowed name_connect access on the port 5050 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:mmcc_port_t:s0 Target Objects port 5050 [ tcp_socket ] Source plugin-containe Source Path /usr/lib/xulrunner-2/plugin-container Port 5050 Host toshiba-satellite Source RPM Packages xulrunner-2.0-0.25.b12.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.15-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name toshiba-satellite Platform Linux toshiba-satellite 2.6.38-0.rc6.git6.1.fc15.i686 #1 SMP Sat Feb 26 02:03:01 UTC 2011 i686 i686 Alert Count 6 First Seen Thu 03 Mar 2011 08:50:35 PM CST Last Seen Mon 07 Mar 2011 07:55:31 PM CST Local ID afb8cabc-0526-4409-8185-8412c24eceba
Raw Audit Messages type=AVC msg=audit(1299549331.536:133): avc: denied { name_connect } for pid=3337 comm="plugin-containe" dest=5050 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mmcc_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1299549331.536:133): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=af4fd080 a2=3729614 a3=0 items=0 ppid=2323 pid=3337 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
Hash: plugin-containe,mozilla_plugin_t,mmcc_port_t,tcp_socket,name_connect
audit2allow
#============= mozilla_plugin_t ============== allow mozilla_plugin_t mmcc_port_t:tcp_socket name_connect;
audit2allow -R
#============= mozilla_plugin_t ============== allow mozilla_plugin_t mmcc_port_t:tcp_socket name_connect;
https://bugzilla.redhat.com/show_bug.cgi?id=682078
Thanks,
Antonio
On 03/08/2011 02:18 AM, Antonio Olivares wrote:
--- On Mon, 3/7/11, Adam Williamsonawilliam@redhat.com wrote:
From: Adam Williamsonawilliam@redhat.com Subject: Re: kernel crash To: "For testers of Fedora development releases"test@lists.fedoraproject.org Date: Monday, March 7, 2011, 6:02 PM On Mon, 2011-03-07 at 17:44 -0800, Antonio Olivares wrote:
This was sent to oops page, but not to fedora
bugzilla. Is that what the reporting tool should do?
Yes. It's also not a crash, but a warning.
Then why the damn thing says that it is a kernel crash? If it is just a warning, then the tool should just report an oops right?
BTW, the following sealert keeps popping up and a bug has already been filed :(
It is sadly becoming annoying :(
SELinux is preventing /usr/lib/xulrunner-2/plugin-container from name_connect access on the tcp_socket port 5050.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that plugin-container should be allowed name_connect access on the port 5050 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:mmcc_port_t:s0 Target Objects port 5050 [ tcp_socket ] Source plugin-containe Source Path /usr/lib/xulrunner-2/plugin-container Port 5050 Host toshiba-satellite Source RPM Packages xulrunner-2.0-0.25.b12.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.15-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name toshiba-satellite Platform Linux toshiba-satellite 2.6.38-0.rc6.git6.1.fc15.i686 #1 SMP Sat Feb 26 02:03:01 UTC 2011 i686 i686 Alert Count 6 First Seen Thu 03 Mar 2011 08:50:35 PM CST Last Seen Mon 07 Mar 2011 07:55:31 PM CST Local ID afb8cabc-0526-4409-8185-8412c24eceba
Raw Audit Messages type=AVC msg=audit(1299549331.536:133): avc: denied { name_connect } for pid=3337 comm="plugin-containe" dest=5050 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mmcc_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1299549331.536:133): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=af4fd080 a2=3729614 a3=0 items=0 ppid=2323 pid=3337 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
Hash: plugin-containe,mozilla_plugin_t,mmcc_port_t,tcp_socket,name_connect
audit2allow
#============= mozilla_plugin_t ============== allow mozilla_plugin_t mmcc_port_t:tcp_socket name_connect;
audit2allow -R
#============= mozilla_plugin_t ============== allow mozilla_plugin_t mmcc_port_t:tcp_socket name_connect;
https://bugzilla.redhat.com/show_bug.cgi?id=682078
Thanks,
Antonio
I am going to submit a new F15 policy update today. So you can test it then and increase the karma ;-).
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
https://bugzilla.redhat.com/show_bug.cgi?id=682078
Thanks,
Antonio
I am going to submit a new F15 policy update today. So you can test it then and increase the karma ;-).
--
I downloaded the selinux policy and yum localinstalled it to see if it could pull in deps:
[root@toshiba-satellite ~]# yum localinstall /home/olivares/Downloads/selinux-policy-3.9.16-1.fc15.noarch.rpm Loaded plugins: langpacks, presto, refresh-packagekit Adding en_US to language list Setting up Local Package Process Examining /home/olivares/Downloads/selinux-policy-3.9.16-1.fc15.noarch.rpm: selinux-policy-3.9.16-1.fc15.noarch Marking /home/olivares/Downloads/selinux-policy-3.9.16-1.fc15.noarch.rpm as an update to selinux-policy-3.9.15-2.fc15.noarch Resolving Dependencies --> Running transaction check ---> Package selinux-policy.noarch 0:3.9.15-2.fc15 will be updated --> Processing Dependency: selinux-policy = 3.9.15-2.fc15 for package: selinux-policy-targeted-3.9.15-2.fc15.noarch --> Processing Dependency: selinux-policy = 3.9.15-2.fc15 for package: selinux-policy-targeted-3.9.15-2.fc15.noarch ---> Package selinux-policy.noarch 0:3.9.16-1.fc15 will be an update --> Finished Dependency Resolution Error: Package: selinux-policy-targeted-3.9.15-2.fc15.noarch (@updates-testing) Requires: selinux-policy = 3.9.15-2.fc15 Removing: selinux-policy-3.9.15-2.fc15.noarch (@updates-testing) selinux-policy = 3.9.15-2.fc15 Updated By: selinux-policy-3.9.16-1.fc15.noarch (/selinux-policy-3.9.16-1.fc15.noarch) selinux-policy = 3.9.16-1.fc15 Available: selinux-policy-3.9.14-2.fc15.noarch (fedora) selinux-policy = 3.9.14-2.fc15 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest
Should I install one by one, and in which order?
If not, would waiting for tomorrow these would be pushed to updates testing?
Thanks,
Antonio
On 03/08/2011 03:55 PM, Antonio Olivares wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=682078
Thanks,
Antonio
I am going to submit a new F15 policy update today. So you can test it then and increase the karma ;-).
--
I downloaded the selinux policy and yum localinstalled it to see if it could pull in deps:
[root@toshiba-satellite ~]# yum localinstall /home/olivares/Downloads/selinux-policy-3.9.16-1.fc15.noarch.rpm Loaded plugins: langpacks, presto, refresh-packagekit Adding en_US to language list Setting up Local Package Process Examining /home/olivares/Downloads/selinux-policy-3.9.16-1.fc15.noarch.rpm: selinux-policy-3.9.16-1.fc15.noarch Marking /home/olivares/Downloads/selinux-policy-3.9.16-1.fc15.noarch.rpm as an update to selinux-policy-3.9.15-2.fc15.noarch Resolving Dependencies --> Running transaction check ---> Package selinux-policy.noarch 0:3.9.15-2.fc15 will be updated --> Processing Dependency: selinux-policy = 3.9.15-2.fc15 for package: selinux-policy-targeted-3.9.15-2.fc15.noarch --> Processing Dependency: selinux-policy = 3.9.15-2.fc15 for package: selinux-policy-targeted-3.9.15-2.fc15.noarch ---> Package selinux-policy.noarch 0:3.9.16-1.fc15 will be an update --> Finished Dependency Resolution Error: Package: selinux-policy-targeted-3.9.15-2.fc15.noarch (@updates-testing) Requires: selinux-policy = 3.9.15-2.fc15 Removing: selinux-policy-3.9.15-2.fc15.noarch (@updates-testing) selinux-policy = 3.9.15-2.fc15 Updated By: selinux-policy-3.9.16-1.fc15.noarch (/selinux-policy-3.9.16-1.fc15.noarch) selinux-policy = 3.9.16-1.fc15 Available: selinux-policy-3.9.14-2.fc15.noarch (fedora) selinux-policy = 3.9.14-2.fc15 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest
Should I install one by one, and in which order?
If not, would waiting for tomorrow these would be pushed to updates testing?
Thanks,
My bad. You need to download/install
selinux-policy-3.9.16-1.fc15.noarch.rpm selinux-policy-targeted-3.9.16-1.fc15.noarch.rpm
packages.
Regards, Miroslav
Antonio
selinux@lists.fedoraproject.org
-
Antonio Olivares -
Miroslav Grepl