Open
Bug 753896
Opened 13 years ago
Updated 3 years ago
SELinux is preventing /usr/libexec/colord from 'read, search' accesses on the directory /media/56bab864-52f4-440f-87c0-000ec69d9830
Categories
(Core :: Graphics: Color Management, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: viabsb, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20120424151814
Steps to reproduce:
Opened a media
Actual results:
***** Plugin restorecon (confiança 99.5 ) sugere ***************************
Seyou want to fix the label.
/media/56bab864-52f4-440f-87c0-000ec69d9830 default label should be mnt_t.
Então you can run restorecon.
Faça
# /sbin/restorecon -v /media/56bab864-52f4-440f-87c0-000ec69d9830
***** Plugin catchall (confiança 1.49 ) sugere *****************************
Seyou believe that colord should be allowed read search access on the 56bab864-52f4-440f-87c0-000ec69d9830 directory by default.
Entãoyou should report this as a bug.
You can generate a local policy module to allow this access.
Faça
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Contexto de origem system_u:system_r:colord_t:s0-s0:c0.c1023
Contexto de destino system_u:object_r:boot_t:s0
Objetos de destino /media/56bab864-52f4-440f-87c0-000ec69d9830 [ dir
]
Origem colord
Caminho da origem /usr/libexec/colord
Porta <Desconhecido>
Máquina macdell.mac
Pacotes RPM de origem colord-0.1.15-1.fc15
Pacotes RPM de destino
RPM da política selinux-policy-3.9.16-52.fc15
Selinux habilitado True
Tipo de política targeted
Modo reforçado Permissive
Nome da máquina macdell.mac
Plataforma Linux macdell.mac 2.6.43.2-6.fc15.x86_64 #1 SMP
Sat Apr 21 12:53:32 UTC 2012 x86_64 x86_64
Contador de alertas 1
Visto pela primeira vez em Qui 10 Mai 2012 14:32:22 BRT
Visto pela última vez em Qui 10 Mai 2012 14:32:22 BRT
ID local 7867116d-5984-4a35-9286-2ba33a785219
Mensagens de auditoria não processadas
type=AVC msg=audit(1336671142.42:86): avc: denied { read search } for pid=3453 comm="colord" name="/" dev="sdc1" ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=SYSCALL msg=audit(1336671142.42:86): arch=x86_64 syscall=access success=yes exit=0 a0=1cd8d40 a1=5 a2=7fff22974020 a3=1 items=0 ppid=1 pid=3453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
Hash: colord,colord_t,boot_t,dir,read,search
audit2allow
#============= colord_t ==============
allow colord_t boot_t:dir { read search };
audit2allow -R
#============= colord_t ==============
allow colord_t boot_t:dir { read search };
I did what the messages told me todo and audit2allow -R stopped the terminal until I Ctr C it.
|
||
Comment 2•13 years ago
|
||
Exactly what is the alleged bug in Firefox?
If someone creates security policies to lock down Firefox then it's not Mozilla's task to try to break out of the sandbox.
|
||
Comment 3•10 years ago
|
||
I guess you specified a color profile (gfx.color_management.display_profile) somewhere in /media/56bab864-52f4-440f-87c0-000ec69d9830.
I see three ways of solving it:
* SELinux profiles could be changed,
* Firefox could complain about colord not working,
* you could put the profile into a place which colord is allowed to access.
QA Whiteboard: [bugday-20150330]
Component: Untriaged → GFX: Color Management
Product: Firefox → Core
Summary: SELinux is preventing /usr/libexec/colord from 'read, search' accesses on the diretório /media/56bab864-52f4-440f-87c0-000ec69d9830 → SELinux is preventing /usr/libexec/colord from 'read, search' accesses on the directory /media/56bab864-52f4-440f-87c0-000ec69d9830
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•