On 18.08.2009 11:11, Dominick Grift wrote:
> type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem }
for
> pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0
> tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process
I have a feeling that this is due to a plugin that i not run in the nsplugin_t domain,
but i might be wrong.
Can you confirm or deny that?
flash-plugin is not (yet) installed for xguest
other installed plugins:
ls /usr/lib/mozilla/plugins
librhythmbox-itms-detection-plugin.so libtotem-cone-plugin.so
libtotem-gmp-plugin.so libtotem-mully-plugin.so
libtotem-narrowspace-plugin.so
Afaik mozilla does not require { execmem }, but many of those crappy
plugins do ( for example flash-plugin ).
I certain configurations those plugins do not get run in the designated nsplugin_t
domain.
In that case firefox runs them.
I am not sure whether mozilla_t domain transitions to nsplugin_t at all.
In practice i believe it does not matter all that much what needs it. You can allow or
(silently) deny it.
Silent deny would mean don't use firefox (because it crashes
immediately after I start it, if execmem is not allowed).
Does this imply that it has something to do with firefox rather than a
specific plugin, or are all plugins loaded at startup?
You can use audit2allow to create an add-on to the mozilla_t domain.
I prefer to get it fixed upstream (it it is a bug) ;)
thanks,
Christoph