Ask Your Question
0

[F23] SELinux alert when using Firefox

asked 2015-12-15 20:59:50 -0600

xmetax gravatar image

updated 2015-12-15 22:34:40 -0600

I am getting an SELinux alert while browsing sites via Firefox and would like to understand what it means and if the solution suggested by the troubleshooting should be followed. The output from SELinux Troubleshooter is:

------------------------------------------------------------

SELinux is preventing plugin-containe from 'sendto' accesses on the unix_dgram_socket 006E7669646961663334343936643400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed sendto access on the 006E7669646961663334343936643400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:system_r:xserver_t:s0-s0:c0.c1023
Target Objects                006E7669646961663334343936643400000000000000000000
                              00000000000000000000000000000000000000000000000000
                              0000000000000000000000000000 [ unix_dgram_socket ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-157.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-301.fc23.x86_64 #1 SMP Fri
                              Nov 20 22:22:41 UTC 2015 x86_64 x86_64
Alert Count                   5
First Seen                    2015-12-15 17:38:45 MST
Last Seen                     2015-12-15 19:47:39 MST
Local ID                      1c1691f0-e48a-422c-800d-d109ce251814

Raw Audit Messages
type=AVC msg=audit(1450234059.63:492): avc:  denied  { sendto } for  pid=2069 comm="plugin-containe" path=006E7669646961663334343936643400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0


Hash: plugin-containe,mozilla_plugin_t,xserver_t,unix_dgram_socket,sendto



----------------------------

Any help is appreciated, thanks!

edit retag flag offensive close merge delete

Comments

I think this is probably SELinux doing it's job...

randomuser gravatar imagerandomuser ( 2015-12-16 08:00:52 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted
3

answered 2015-12-15 22:38:14 -0600

The message tells you the solution:

If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do setsebool -P unconfined_mozilla_plugin_transition 0

So assuming you wish to allow firefox to use plugins run

sudo setsebool -P unconfined_mozilla_plugin_transition 0

For more information on selinux booleans see https://access.redhat.com/documentati...

edit flag offensive delete link more

Comments

Thanks,

I've applied that command and am no longer getting the alert. I did notice the solution was part of the message, but wasn't sure what I was actually enabling and if this would be a security risk. I will do my due diligence and do more research. Thanks!

xmetax gravatar imagexmetax ( 2015-12-15 22:41:44 -0600 )edit

Generally, IMHO, you can enable booleans , I consider them options. Only enable the ones you use.

bodhi.zazen gravatar imagebodhi.zazen ( 2015-12-16 11:34:20 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2015-12-15 20:59:50 -0600

Seen: 1,109 times

Last updated: Dec 15 '15