SELinux is preventing /usr/lib64/firefox/plugin-container from 'name_bind' accesses on the tcp_socket

Solution Verified - Updated -

Issue

  • SELinux setroubleshoot program generates the following error message
:*****  Plugin mozplugger (99.1 confidence) suggests   ************************
:
:If you want to use the plugin package
:Then you must turn off SELinux controls on the Firefox plugins.
:Do
:# setsebool -P unconfined_mozilla_plugin_transition 0
:
:*****  Plugin catchall (1.81 confidence) suggests   **************************
:
:If you believe that plugin-container should be allowed name_bind access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:amqp_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        plugin-containe
:Source Path                   /usr/lib64/firefox/plugin-container
:Port                          5672
:Host                          (removed)
:Source RPM Packages           firefox-31.2.0-3.el7_0.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.12.1-153.el7_0.11.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.10.0-123.8.1.el7.x86_64 #1 SMP
:                              Mon Aug 11 13:37:49 EDT 2014 x86_64 x86_64
:Alert Count                   1
:First Seen                    2014-10-22 16:58:24 CEST
:Last Seen                     2014-10-22 16:58:24 CEST
:Local ID                      f7f0b847-5ed0-4b66-9212-a8502d46cfa4
:
:Raw Audit Messages
:type=AVC msg=audit(1413989904.770:3522): avc:  denied  { name_bind } for  pid=22618 comm="plugin-containe" src=5672 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1413989904.770:3522): arch=x86_64 syscall=bind success=no exit=EACCES a0=31 a1=7ffb1d4fb360 a2=10 a3=7ffb1d4fb39c items=0 ppid=6365 pid=22618 auid=14411 uid=14411 gid=14411 euid=14411 suid=14411 fsuid=14411 egid=14411 sgid=14411 fsgid=14411 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: plugin-containe,mozilla_plugin_t,amqp_port_t,tcp_socket,name_bind

Environment

  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content