mozilla not starting in enforcing mode

Russell Coker russell at coker.com.au
Mon Jun 21 04:01:37 UTC 2004


On Mon, 21 Jun 2004 10:47, Richard Hally <rhallyx at mindspring.com> wrote:
> Jun 20 20:31:30 new2 kernel: audit(1087777890.697:0): avc:  denied  {
> write } for  pid=3471 exe=/usr/lib/mozilla-1.6/mozilla-xremote-client
> name=X0 dev=hda2 ino=1840568 scontext=richard:staff_r:staff_mozilla_t
> tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file

That's a known issue.  The policy regarding X client applications connecting 
to servers needs to be re-written to make it cleaner.  For the moment just 
allow this.

> Jun 20 20:31:34 new2 kernel: audit(1087777894.263:0): avc:  denied  {
> unlink } for  pid=3457 exe=/usr/lib/mozilla-1.6/mozilla-bin
> name=.fonts.cache-1 dev=hda2 ino=1091707
> scontext=richard:staff_r:staff_mozilla_t
> tcontext=richard:object_r:staff_home_t tclass=file

This is an instance of the big problem with having multiple domains used for 
applications run from the user's account.  They have files that are used by 
multiple applications and there is no consistent way of managing them.  
The .fonts.cache file is used by many programs other than mozilla, most of 
which run as staff_t (in the case of staff_r logins) and therefore the type 
is staff_home_t.  Labelling the file as staff_mozilla_rw_t is not going to 
work as I think that some programs will unlink and recreate it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



More information about the fedora-selinux-list mailing list