This is a new install, updated, Fedora-26 using XFCE, however I believe the problem began with Fedora-24.
I print several puzzles every day usin Firefox, puzzles presented in pdf print without any trouble, however those that require Flash stop working when the Fedora print window pops up, it looks normal but does not display/recognize my printer, the printer name is missing/blank. I am forced to use SeaMonkey to print the flash sites such as: http://puzzles.usatoday.com/
Using Firefox the line that says "Print to Printer:" simply shows "No Printer." SeaMonkey shows the printer and prints. It seems Firefox should do the same and it used to ... I've googled this extensively but never come near finding an answer. I would prefer not having to use a second browser to print puzzles.
Can anyone offer an explanation, better yet a fix?
*Bob*
On 07/24/2017 03:06 AM, Bob Goodwin wrote:
This is a new install, updated, Fedora-26 using XFCE, however I believe the problem began with Fedora-24.
I print several puzzles every day usin Firefox, puzzles presented in pdf print without any trouble, however those that require Flash stop working when the Fedora print window pops up, it looks normal but does not display/recognize my printer, the printer name is missing/blank. I am forced to use SeaMonkey to print the flash sites such as: http://puzzles.usatoday.com/
Using Firefox the line that says "Print to Printer:" simply shows "No Printer." SeaMonkey shows the printer and prints. It seems Firefox should do the same and it used to ... I've googled this extensively but never come near finding an answer. I would prefer not having to use a second browser to print puzzles.
Can anyone offer an explanation, better yet a fix?
I know what the problem is. It is related to selinux. If you run firefox after doing a "setenforce 0" you can select a printer. You don't get an AVC since donot-audit is active.
I will get back to you later in my day (only 6AM) when I have what I think is a proper "fix". Need to test it within a VM as a personal preference. :-)
On 07/24/2017 05:58 AM, Ed Greshko wrote:
I will get back to you later in my day (only 6AM) when I have what I think is a proper "fix". Need to test it within a VM as a personal preference.
And the answer is quite simple. Just run the following command as root....
setsebool -P unconfined_mozilla_plugin_transition 0
On 07/23/17 18:39, Ed Greshko wrote:
And the answer is quite simple. Just run the following command as root....
setsebool -P unconfined_mozilla_plugin_transition 0
+
And of course that works, as you knew it would.
I have been inconveniwenced by that problem for what seems to be a year or more. Thought it might be one of the many add-ons it takes to make Firefox uasable. After running the selinux command the web site was blocked by umatrixd but that is easily cleared and I printed one page.
I thank you for the help,
Bob
On 07/23/17 18:39, Ed Greshko wrote:
And the answer is quite simple. Just run the following command as root....
setsebool -P unconfined_mozilla_plugin_transition 0
+
I am curious to know how you arrived at that. Is it something I should have been able to do, something I might be able to apply in another problem?
On 07/24/2017 08:09 AM, Bob Goodwin wrote:
On 07/23/17 18:39, Ed Greshko wrote:
And the answer is quite simple. Just run the following command as root....
setsebool -P unconfined_mozilla_plugin_transition 0
I am curious to know how you arrived at that. Is it something I should have been able to do, something I might be able to apply in another problem?
First, I hardly ever use firefox. I have it set up to use a network proxy for a specific use case that I occasionally need. With that in mind.
My "thought" process and diagnosis when about like this....
1. I went to the page you posted and tried to print a puzzle and verified I see the same as you do.
2. I noticed that the popup for printing is referencing "plugin-container"
3. Did some googling, not much actually, and nothing popped out at me.
4. Recalled in the back of my head seeing a selinux error in the past running FF.
5. So, I tried "setenforce 0" and then run FF and try printing again....and it worked.
6. Restored "setenforce1" and ran "semodule -BD" to turn on auditing so the AVC is generated and logged. Got the sealert popup and found the AVC for plugin-container and followed the suggestion which was....
If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0
7. Ran "semodule -B" to restore donot-audit.
Maybe in summary it is wise to remember that selinux has a lot of 'donot audit" in its policies turned on by default. So, you can get selinux errors without getting notified. So, at times, if something doesn't work but no error messages are to be found then one possible reason is selinux and trying "setenforce 0" on a temporary basis is a troubleshooting option.
On 07/23/17 20:34, Ed Greshko wrote:
First, I hardly ever use firefox. I have it set up to use a network proxy for a specific use case that I occasionally need. With that in mind.
My "thought" process and diagnosis when about like this.... .... Snip ....
+
I can probably do this in the event of another similar problem and have saved this to my notes.
Thank you
On 07/24/2017 01:13 AM, Bob Goodwin wrote:
On 07/23/17 20:34, Ed Greshko wrote:
First, I hardly ever use firefox. I have it set up to use a network proxy for a specific use case that I occasionally need. With that in mind.
My "thought" process and diagnosis when about like this.... .... Snip ....
I can probably do this in the event of another similar problem and have saved this to my notes.
Thank you
After going through this thread and looking at Ed's replies as to "what to do" (being "setsebool -P unconfined_mozilla_plugin_transition 0"), I went back to my "NVidia instead of nouveau" issues (which included a thread with Ed explaining to me some stuff I did not understand).
Ed's suggestion of "setsebool -P unconfined_mozilla_plugin_transition 0" is exactly what SELinux advises me to do now that I have NVidia instead of nouveau installed when dealing with Firefox issues.
Am I to gather the this "setsebool -P unconfined_mozilla_plugin_transition 0" suggestion pretty much is a global statement to say "*anything* that SELinux pings in anything dealing with Firefox" will be ignored once this setsebool rule is enacted?
Not making value judgment with that statement, just trying to understand how big the scope of that SELinux rules is. For the record, I have not granted that exception as I have yet to see any problem with NVidia and Firefox that requires an intervention.
Thanks for any advice, Paul
On 07/30/2017 03:56 PM, Paul Allen Newell wrote:
On 07/24/2017 01:13 AM, Bob Goodwin wrote:
On 07/23/17 20:34, Ed Greshko wrote:
First, I hardly ever use firefox. I have it set up to use a network proxy for a specific use case that I occasionally need. With that in mind.
My "thought" process and diagnosis when about like this.... .... Snip ....
I can probably do this in the event of another similar problem and have saved this to my notes.
Thank you
After going through this thread and looking at Ed's replies as to "what to do" (being "setsebool -P unconfined_mozilla_plugin_transition 0"), I went back to my "NVidia instead of nouveau" issues (which included a thread with Ed explaining to me some stuff I did not understand).
Ed's suggestion of "setsebool -P unconfined_mozilla_plugin_transition 0" is exactly what SELinux advises me to do now that I have NVidia instead of nouveau installed when dealing with Firefox issues.
The selinux issue with the firefox plugin has no relationship to either nVidia, nouveau, or any other video driver.
Am I to gather the this "setsebool -P unconfined_mozilla_plugin_transition 0" suggestion pretty much is a global statement to say "*anything* that SELinux pings in anything dealing with Firefox" will be ignored once this setsebool rule is enacted?
No. It only has to do with the mozzilla plugin....
[root@meimei ~]# semanage boolean -l | grep mozilla_plugin_tran unconfined_mozilla_plugin_transition (on , on) Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
Which basically would control what processes can be executed by the plugin.
Not making value judgment with that statement, just trying to understand how big the scope of that SELinux rules is. For the record, I have not granted that exception as I have yet to see any problem with NVidia and Firefox that requires an intervention.
I guess I'm a bit confused.
In your second paragraph you said ""setsebool -P unconfined_mozilla_plugin_transition 0" is exactly what SELinux advises me to do now that I have NVidia instead of nouveau installed when dealing with Firefox issues." But now you've said " I have not granted that exception as I have yet to see any problem with NVidia and Firefox that requires an intervention."
But, again, the selinux messages we're talking about here have no relationship to the video hardware or driver in use.
You may not hit an issue so you may not need to make the change. In the case of going to puzzles.usatoday.com, running the flash plugin and then trying to print the plugin isn't being allowed access to information about printers.....it would seem.
If you hit an issue that requires you change the boolean (and chances are you won't know it unless you disable dontaudit) and you are concerned about a security risk I would ask on the selinux mailing list. They have the expertise. I
On 07/30/2017 06:30 AM, Ed Greshko wrote:
On 07/30/2017 03:56 PM, Paul Allen Newell wrote:
Ed's suggestion of "setsebool -P unconfined_mozilla_plugin_transition 0" is exactly what SELinux advises me to do now that I have NVidia instead of nouveau installed when dealing with Firefox issues.
The selinux issue with the firefox plugin has no relationship to either nVidia, nouveau, or any other video driver.
okay
Am I to gather the this "setsebool -P unconfined_mozilla_plugin_transition 0" suggestion pretty much is a global statement to say "*anything* that SELinux pings in anything dealing with Firefox" will be ignored once this setsebool rule is enacted?
No. It only has to do with the mozzilla plugin....
[root@meimei ~]# semanage boolean -l | grep mozilla_plugin_tran unconfined_mozilla_plugin_transition (on , on) Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
Which basically would control what processes can be executed by the plugin.
This helps clarify, thank you. Far better explanation than the conclusion I was thinking
Not making value judgment with that statement, just trying to understand how big the scope of that SELinux rules is. For the record, I have not granted that exception as I have yet to see any problem with NVidia and Firefox that requires an intervention.
I guess I'm a bit confused.
In your second paragraph you said ""setsebool -P unconfined_mozilla_plugin_transition 0" is exactly what SELinux advises me to do now that I have NVidia instead of nouveau installed when dealing with Firefox issues." But now you've said " I have not granted that exception as I have yet to see any problem with NVidia and Firefox that requires an intervention."
SELinux has given me the alert and I have not done the setsebool action. Given that I have not seen any problems, it doesn't make much sense to me to do the setsebool action.
But, again, the selinux messages we're talking about here have no relationship to the video hardware or driver in use.
You may not hit an issue so you may not need to make the change. In the case of going to puzzles.usatoday.com, running the flash plugin and then trying to print the plugin isn't being allowed access to information about printers.....it would seem.
If you hit an issue that requires you change the boolean (and chances are you won't know it unless you disable dontaudit) and you are concerned about a security risk I would ask on the selinux mailing list. They have the expertise. I
Appreciate the information. Everything I found online indicated to me that others have gotten the same warnings and the setsebool is the default action to take. I have yet to see any comment about what is being prevented (as in "I can't do this or that").
Thanks
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 07/31/2017 07:06 AM, Paul Allen Newell wrote:
OK, good that it is all sorted.
Appreciate the information. Everything I found online indicated to me that others have gotten the same warnings and the setsebool is the default action to take. I have yet to see any comment about what is being prevented (as in "I can't do this or that").
You mean other than Bob's inability to print the puzzles from USA Today?
On 07/30/2017 04:26 PM, Ed Greshko wrote:
On 07/31/2017 07:06 AM, Paul Allen Newell wrote:
OK, good that it is all sorted.
Appreciate the information. Everything I found online indicated to me that others have gotten the same warnings and the setsebool is the default action to take. I have yet to see any comment about what is being prevented (as in "I can't do this or that").
You mean other than Bob's inability to print the puzzles from USA Today?
I should have qualified that I was referring to NVidia issues. I did try to print a crossword puzzle from Bob's site and had no warnings from SELinux ... and now have a crossword puzzle on page in front of me that I somehow feel I have to try to solve
On 07/31/2017 07:30 AM, Paul Allen Newell wrote:
On 07/30/2017 04:26 PM, Ed Greshko wrote:
On 07/31/2017 07:06 AM, Paul Allen Newell wrote:
OK, good that it is all sorted.
Appreciate the information. Everything I found online indicated to me that others have gotten the same warnings and the setsebool is the default action to take. I have yet to see any comment about what is being prevented (as in "I can't do this or that").
You mean other than Bob's inability to print the puzzles from USA Today?
I should have qualified that I was referring to NVidia issues. I did try to print a crossword puzzle from Bob's site and had no warnings from SELinux ... and now have a crossword puzzle on page in front of me that I somehow feel I have to try to solve
Are you saying you printed the puzzle? If that is the case, what is the output of....
getsebool unconfined_mozilla_plugin_transition as well as
getenforce
On 07/30/2017 04:41 PM, Ed Greshko wrote:
On 07/31/2017 07:30 AM, Paul Allen Newell wrote:
On 07/30/2017 04:26 PM, Ed Greshko wrote:
On 07/31/2017 07:06 AM, Paul Allen Newell wrote:
OK, good that it is all sorted.
Appreciate the information. Everything I found online indicated to me that others have gotten the same warnings and the setsebool is the default action to take. I have yet to see any comment about what is being prevented (as in "I can't do this or that").
You mean other than Bob's inability to print the puzzles from USA Today?
I should have qualified that I was referring to NVidia issues. I did try to print a crossword puzzle from Bob's site and had no warnings from SELinux ... and now have a crossword puzzle on page in front of me that I somehow feel I have to try to solve
Are you saying you printed the puzzle? If that is the case, what is the output of....
getsebool unconfined_mozilla_plugin_transition as well as
getenforce
[paul@birdinhand ~]$ getsebool unconfined_mozilla_plugin_transition unconfined_mozilla_plugin_transition --> on [paul@birdinhand ~]$ getenforce Enforcing [paul@birdinhand ~]$
On 07/31/2017 07:44 AM, Paul Allen Newell wrote:
On 07/30/2017 04:41 PM, Ed Greshko wrote:
On 07/31/2017 07:30 AM, Paul Allen Newell wrote:
On 07/30/2017 04:26 PM, Ed Greshko wrote:
On 07/31/2017 07:06 AM, Paul Allen Newell wrote:
OK, good that it is all sorted.
Appreciate the information. Everything I found online indicated to me that others have gotten the same warnings and the setsebool is the default action to take. I have yet to see any comment about what is being prevented (as in "I can't do this or that").
You mean other than Bob's inability to print the puzzles from USA Today?
I should have qualified that I was referring to NVidia issues. I did try to print a crossword puzzle from Bob's site and had no warnings from SELinux ... and now have a crossword puzzle on page in front of me that I somehow feel I have to try to solve
Are you saying you printed the puzzle? If that is the case, what is the output of....
getsebool unconfined_mozilla_plugin_transition as well as
getenforce
[paul@birdinhand ~]$ getsebool unconfined_mozilla_plugin_transition unconfined_mozilla_plugin_transition --> on [paul@birdinhand ~]$ getenforce Enforcing [paul@birdinhand ~]$
All I can say is that I find that odd and maybe even a bit troubling. With those setting you should get "no printer" when the print dialog is presented after picking "Print --> blank puzzle".
This suggests that some change occurred to your system which alters the behavior. Possibly a mislabeled file or something else. Or possibly the way some things on your system were installed.
If the behavior is altered in this one case I'd be wondering if there may be other cases.
On 07/30/2017 05:07 PM, Ed Greshko wrote:
On 07/31/2017 07:44 AM, Paul Allen Newell wrote:
On 07/30/2017 04:41 PM, Ed Greshko wrote:
Are you saying you printed the puzzle? If that is the case, what is the output of....
getsebool unconfined_mozilla_plugin_transition as well as
getenforce
[paul@birdinhand ~]$ getsebool unconfined_mozilla_plugin_transition unconfined_mozilla_plugin_transition --> on [paul@birdinhand ~]$ getenforce Enforcing [paul@birdinhand ~]$
All I can say is that I find that odd and maybe even a bit troubling. With those setting you should get "no printer" when the print dialog is presented after picking "Print --> blank puzzle".
This suggests that some change occurred to your system which alters the behavior. Possibly a mislabeled file or something else. Or possibly the way some things on your system were installed.
If the behavior is altered in this one case I'd be wondering if there may be other cases.
Was not expecting "odd and maybe even a bit troubling".
I am running NoScript but that should not make difference.
My install notes indicate the only change I made to SELinux is setsebool -P antivirus_can_scan_system 1 to enable clamav to scan system (https://linux-audit.com/install-clamav-on-centos-7-using-freshclam). All I can think of is that something has changed in the Fedora branch?
On 07/31/2017 08:50 AM, Paul Allen Newell wrote:
On 07/30/2017 05:07 PM, Ed Greshko wrote:
On 07/31/2017 07:44 AM, Paul Allen Newell wrote:
On 07/30/2017 04:41 PM, Ed Greshko wrote:
Are you saying you printed the puzzle? If that is the case, what is the output of....
getsebool unconfined_mozilla_plugin_transition as well as
getenforce
[paul@birdinhand ~]$ getsebool unconfined_mozilla_plugin_transition unconfined_mozilla_plugin_transition --> on [paul@birdinhand ~]$ getenforce Enforcing [paul@birdinhand ~]$
All I can say is that I find that odd and maybe even a bit troubling. With those setting you should get "no printer" when the print dialog is presented after picking "Print --> blank puzzle".
This suggests that some change occurred to your system which alters the behavior. Possibly a mislabeled file or something else. Or possibly the way some things on your system were installed.
If the behavior is altered in this one case I'd be wondering if there may be other cases.
Was not expecting "odd and maybe even a bit troubling".
I am running NoScript but that should not make difference.
My install notes indicate the only change I made to SELinux is setsebool -P antivirus_can_scan_system 1 to enable clamav to scan system (https://linux-audit.com/install-clamav-on-centos-7-using-freshclam). All I can think of is that something has changed in the Fedora branch?
You could always run FF with NoScript disabled to verify.
Assuming you didn't install FF in a non-Fedora way. I think I would go about relabeling, just for peace of mind.
To do that, I would at a minimum do
fixfiles -R firefox restore
or at a maximum
touch /.autorelabel reboot
On 07/30/2017 09:02 PM, Ed Greshko wrote:
On 07/31/2017 08:50 AM, Paul Allen Newell wrote:
On 07/30/2017 05:07 PM, Ed Greshko wrote:
On 07/31/2017 07:44 AM, Paul Allen Newell wrote:
On 07/30/2017 04:41 PM, Ed Greshko wrote:
Are you saying you printed the puzzle? If that is the case, what is the output of....
getsebool unconfined_mozilla_plugin_transition as well as
getenforce
[paul@birdinhand ~]$ getsebool unconfined_mozilla_plugin_transition unconfined_mozilla_plugin_transition --> on [paul@birdinhand ~]$ getenforce Enforcing [paul@birdinhand ~]$
All I can say is that I find that odd and maybe even a bit troubling. With those setting you should get "no printer" when the print dialog is presented after picking "Print --> blank puzzle".
This suggests that some change occurred to your system which alters the behavior. Possibly a mislabeled file or something else. Or possibly the way some things on your system were installed.
If the behavior is altered in this one case I'd be wondering if there may be other cases.
Was not expecting "odd and maybe even a bit troubling".
I am running NoScript but that should not make difference.
My install notes indicate the only change I made to SELinux is setsebool -P antivirus_can_scan_system 1 to enable clamav to scan system (https://linux-audit.com/install-clamav-on-centos-7-using-freshclam). All I can think of is that something has changed in the Fedora branch?
You could always run FF with NoScript disabled to verify.
Assuming you didn't install FF in a non-Fedora way. I think I would go about relabeling, just for peace of mind.
To do that, I would at a minimum do
fixfiles -R firefox restore
or at a maximum
touch /.autorelabel reboot
I have to admit, it sure didn't seem like I needed to run this test with NoScript off, but I figured I owed it for completeness. Imagine the large plate of crow delivered to me when I go the "no printer".
Turned NoScript back on and only allowed enough permissions to get the crossword up on screen. Still "no printer". Two or three times (getting bored of the Trivago ad). On the last try, I got a notice that Flash Plugin had crashed in Firefox. It asked if it wanted to be reloaded, I said yes and the crossword puzzle came up. This time the printer was available and wanted to print the crossword.
No SELinux alerts accept for "my usual NVidia ones" of SELinux is preventing /usr/lib64/firefox/plugin-container from sendto access on the unix_dgram_socket @nvidia15a01b57 which says I should setsebool -P unconfined_mozilla_plugin_transition 0. It did not occur. The ABRT is about "plugin-container killed by SIGSEGV". The SELinux alert appears to have occurred after I restarted Flash
Firefox was installed in the default install from DVD and have always updated through yum.
I checked my add-ons in Firefox to see if I had anything else, I do see the Web Developer 1.2.13 extension (that plate of crow is preventing me from assuming that it could have nothing to do with things ...). The only plugins I have added is Widevine Content Decryption Module provided by Google Inc 1.4.8.903 ... all the rest (except Flash) are from rhel et al or mozilla
At this point, I am more suspect of Flash than SELinux file settings given that a crash and reloading got me the printer for the crossword puzzle
I read the man page on fixfiles and it makes sense. Luckily, was able to search for the touch option by googling "touch ./autorelabel" so I understand what you mean by "at a maximum".
For reference: flash-plugin: 26.0.0.137 firefox: 52.2.0
On 07/30/2017 10:30 PM, Paul Allen Newell wrote:
On 07/30/2017 09:02 PM, Ed Greshko wrote:
You could always run FF with NoScript disabled to verify.
Assuming you didn't install FF in a non-Fedora way. I think I would go about relabeling, just for peace of mind.
To do that, I would at a minimum do
fixfiles -R firefox restore
or at a maximum
touch /.autorelabel reboot
I have to admit, it sure didn't seem like I needed to run this test with NoScript off, but I figured I owed it for completeness. Imagine the large plate of crow delivered to me when I go the "no printer".
Turned NoScript back on and only allowed enough permissions to get the crossword up on screen. Still "no printer". Two or three times (getting bored of the Trivago ad). On the last try, I got a notice that Flash Plugin had crashed in Firefox. It asked if it wanted to be reloaded, I said yes and the crossword puzzle came up. This time the printer was available and wanted to print the crossword.
No SELinux alerts accept for "my usual NVidia ones" of SELinux is preventing /usr/lib64/firefox/plugin-container from sendto access on the unix_dgram_socket @nvidia15a01b57 which says I should setsebool -P unconfined_mozilla_plugin_transition 0. It did not occur. The ABRT is about "plugin-container killed by SIGSEGV". The SELinux alert appears to have occurred after I restarted Flash
Firefox was installed in the default install from DVD and have always updated through yum.
I checked my add-ons in Firefox to see if I had anything else, I do see the Web Developer 1.2.13 extension (that plate of crow is preventing me from assuming that it could have nothing to do with things ...). The only plugins I have added is Widevine Content Decryption Module provided by Google Inc 1.4.8.903 ... all the rest (except Flash) are from rhel et al or mozilla
At this point, I am more suspect of Flash than SELinux file settings given that a crash and reloading got me the printer for the crossword puzzle
I read the man page on fixfiles and it makes sense. Luckily, was able to search for the touch option by googling "touch ./autorelabel" so I understand what you mean by "at a maximum".
For reference: flash-plugin: 26.0.0.137 firefox: 52.2.0
Not to keep beating this as I think it is resolved given seeing things working after reloading flash when it didn't work prior, I did want to mention that tonight (sorry for the delay in doing this but something else came up), I ran:
[root@birdinhand ~]# fixfiles -R firefox check Warning: Skipping the following R/O filesystems: /sys/fs/cgroup [root@birdinhand ~]#
and it appears that fixfiles thinks that everything except the read-only directory is okay and nothing needs to be fixed/restored.
On 08/02/2017 12:38 PM, Paul Allen Newell wrote:
Not to keep beating this as I think it is resolved given seeing things working after reloading flash when it didn't work prior, I did want to mention that tonight (sorry for the delay in doing this but something else came up), I ran:
[root@birdinhand ~]# fixfiles -R firefox check Warning: Skipping the following R/O filesystems: /sys/fs/cgroup [root@birdinhand ~]#and it appears that fixfiles thinks that everything except the read-only directory is okay and nothing needs to be fixed/restored.
Yes, it would seem all is labeled correctly and that the different results you get are due to having NoScript and how it affects transitions of Selinux Domains.
All in all, I wouldn't give it another thought.
Also, FWIW, that AVC you get with nVidia wanting to write to a unix_dgram_socket seems to be a known issue. I saw a Bugzilla about it for I think it was F22 and no action was taken other than to give the advice that is presented by sealert.
On 08/01/2017 09:49 PM, Ed Greshko wrote:
On 08/02/2017 12:38 PM, Paul Allen Newell wrote:
Not to keep beating this as I think it is resolved given seeing things working after reloading flash when it didn't work prior, I did want to mention that tonight (sorry for the delay in doing this but something else came up), I ran:
[root@birdinhand ~]# fixfiles -R firefox check Warning: Skipping the following R/O filesystems: /sys/fs/cgroup [root@birdinhand ~]#and it appears that fixfiles thinks that everything except the read-only directory is okay and nothing needs to be fixed/restored.
Yes, it would seem all is labeled correctly and that the different results you get are due to having NoScript and how it affects transitions of Selinux Domains.
All in all, I wouldn't give it another thought.
Also, FWIW, that AVC you get with nVidia wanting to write to a unix_dgram_socket seems to be a known issue. I saw a Bugzilla about it for I think it was F22 and no action was taken other than to give the advice that is presented by sealert.
Thanks for confirm that you feel "all is labeled correctly".
The Bugzilla I saw for the NVidia issue were pretty much unanswered issues -- very much in the spirit of your original comment of:
"Once you install any package which 'taints' the kernel you can expect little help from Fedora or Red Hat in resolving kernel related issues. You also won't get help with any packages not supplied by them."
I did look up and find the Bugzilla you mentioned (F23) and I smiled at the answer "I think this is probably SELinux doing it's job...".
-
Bob Goodwin -
Ed Greshko -
Ed Greshko -
Paul Allen Newell