policy addition for mozilla

Richard Hally rhally at mindspring.com
Fri Jul 9 23:56:50 UTC 2004


Colin Walters wrote:

> On Fri, 2004-07-09 at 01:13 -0400, Richard Hally wrote:
> 
>>Attached (and below) is a diff of a one line addition for 
>>mozilla_macros.te from the the  selinux-policy-strict-sources-1.14.1-5.
>>
>>audit2allow generated the following from the avc denied messages I 
>>received when trying to run Mozilla: allow staff_mozilla_t xdm_tmp_t:dir 
>>{ search };
> 
> 
> Just running denials through audit2allow is generally the wrong thing.
> Often the denials are symptomatic of deeper problems like mislabeled
> files, or deep design issues (e.g. GConf), or simply bugs in the
> software (like mdadm opening files in /proc read/write), or
> configuration problems (running Postfix chrooted).
> 
> In this particular case, having Mozilla able to access the XDM
> temporarily files is almost certainly the wrong solution.  In order to
> diagnose it we need to know what file it was accessing (information
> contained in the raw dmesg output, but not in audit2allow) and what you
> were doing at the time.  

Here are the avc denied messages from trying to start mozilla web 
browser. When I say trying to start I mean clicking on the mozilla icon 
on the panel and watching the hour-glass cursor spin for a while and 
then it goes away. "nothing happens".  BTW, the load_policy messages are 
because I had to "enableaudit" when building the policy to get the avc 
messages. This behavior started a couple of weeks ago. Previously 
mozilla had worked in enforcing mode.
Also further below are a couple of avc denied messages from booting that 
may be related to the problem as they have to do with xdm. They refer to 
a different file (.ICE-unix vice .X11-unix)  but may be related. There 
was a bug having to do with this xdm probelm (bug 127099.)

Jul  8 23:51:35 new2 kernel: audit(1089345095.411:0): avc:  granted  { 
load_policy } for  pid=4238 exe=/usr/sbin/load_policy 
scontext=root:sysadm_r:load_policy_t 
tcontext=system_u:object_r:security_t tclass=security
Jul  8 23:51:36 new2 kernel: security:  6 users, 7 roles, 1273 types, 1 
bools
Jul  8 23:51:36 new2 kernel: security:  51 classes, 345889 rules
Jul  8 23:52:07 new2 kernel: audit(1089345127.662:0): avc:  granted  { 
load_policy } for  pid=4296 exe=/usr/sbin/load_policy 
scontext=root:sysadm_r:load_policy_t 
tcontext=system_u:object_r:security_t tclass=security
Jul  8 23:52:07 new2 kernel: security:  6 users, 7 roles, 1273 types, 1 
bools
Jul  8 23:52:07 new2 kernel: security:  51 classes, 304966 rules
Jul  8 23:52:15 new2 kernel: audit(1089345135.764:0): avc:  denied  { 
search } for  pid=4315 exe=/usr/lib/mozilla-1.7/mozilla-xremote-client 
name=.X11-unix dev=hda2 ino=1840558 
scontext=richard:staff_r:staff_mozilla_t 
tcontext=system_u:object_r:xdm_tmp_t tclass=dir
Jul  8 23:52:15 new2 kernel: audit(1089345135.772:0): avc:  denied  { 
search } for  pid=4301 exe=/usr/lib/mozilla-1.7/mozilla-xremote-client 
name=.X11-unix dev=hda2 ino=1840558 
scontext=richard:staff_r:staff_mozilla_t 
tcontext=system_u:object_r:xdm_tmp_t tclass=dir

from booting:
Jul  8 14:45:44 new2 kernel: audit(1089312344.553:0): avc:  denied  { 
setattr }
for  pid=2513 exe=/usr/bin/gdm-binary name=.ICE-unix dev=hda2 
ino=1840546 scontext=system_u:system_r:xdm_t 
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
Jul  8 14:45:44 new2 kernel: audit(1089312344.554:0): avc:  denied  { 
setattr }
for  pid=2513 exe=/usr/bin/gdm-binary name=.ICE-unix dev=hda2 
ino=1840546 scontext=system_u:system_r:xdm_t 
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir

HTH
Richard Hally





More information about the selinux mailing list