[SOLVED] F17, QuakeLive Firefox plugin and SELinux

maddaemon · #1 8th June 2012, 09:34 PM

Hello,

yesterday I upgraded from F16 to F17 (I did fresh re-install because my boot partition was too small). I play QuakeLive which is a game that runs as Firefox plugin. It requires access to ~/.quakelive directory where it downloads maps and stores its configuration. In F16 I had no problems but it seems that F17 has more strict SELinux policy. Unfortunately I've very little experience with SELinux and I don't want to completely disable it.

I tried to fix it by issuing following

# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

every time new alert is reported. However it seems like never ending task.

Could someone give me and advice how to fix this issue please?

Mr. David Miller seems to have exactly same problem.

Here is example SELinux alert that occurs during installation:

Code:

SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from create access on the file manifest.xfer.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that plugin-container should be allowed create access on the manifest.xfer file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                manifest.xfer [ file ]
Source                        plugin-containe
Source Path                   /usr/lib64/xulrunner-2/plugin-container
Port                          <Neznámé>
Host                          kotomi
Source RPM Packages           xulrunner-13.0-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     kotomi
Platform                      Linux kotomi 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3
                              06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   106
First Seen                    Pá*8.*červen*2012,*22:08:53*CEST
Last Seen                     Pá*8.*červen*2012,*22:09:14*CEST
Local ID                      c0a4cc81-2590-42d9-a75f-a86a1fc30bf3

Raw Audit Messages
type=AVC msg=audit(1339186154.103:348): avc:  denied  { create } for  pid=6424 comm="plugin-containe" name="manifest.xfer" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file


type=SYSCALL msg=audit(1339186154.103:348): arch=x86_64 syscall=open success=no exit=EACCES a0=7f45e8f1e0d0 a1=241 a2=1b6 a3=0 items=0 ppid=5379 pid=6424 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=5 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: plugin-containe,mozilla_plugin_t,user_home_dir_t,file,create

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

Any advice is appreciated. Thank you.

graham_alton · #2 24th June 2012, 09:32 AM

There's already a boolean in the SELinux policy in F17 that will sort you out, however, by default it's switched off. The relevant boolean is mozilla_plugin_enable_homedirs. Booleans in SELinux are a simple way to turn on/off different capabilities provided in the policy.

Try running the following command either as root or via sudo and you should be good to go:

Quote:

setsebool mozilla_plugin_enable_homedirs on

To make the change persistent over reboots run with the -P flag like this (note it takes a lot longer to run the command this way):

Quote:

setsebool -P mozilla_plugin_enable_homedirs on

maddaemon · #3 24th June 2012, 07:20 PM

It works. Thank you!

I had to remove ~/.quakelive directory because it was created with user_home_t label when SELinux was turned off (not enforcing mode). Now it has mozilla_home_t label. To be sure I also reinstalled plugin and removed ~/.nv directory.

graham_alton · #4 25th June 2012, 08:05 AM

No problem. I play a bit of Quake Live occasionally myself so this little tip will be useful for me too. Guess I may see you around on there some time, my Quake name is "Gibba".

fixles · #5 22nd August 2012, 11:54 AM

Thanks, worked for me too. I had to delete ~/.quakelive as well.