SELinux is preventing /usr/lib64/firefox/plugin-container from 'name_bind' accesses on the tcp_socket

Solution Verified - Updated -

Issue

  • SELinux setroubleshoot program generates the following error message
:*****  Plugin mozplugger (99.1 confidence) suggests   ************************
:
:If you want to use the plugin package
:Then you must turn off SELinux controls on the Firefox plugins.
:Do
:# setsebool -P unconfined_mozilla_plugin_transition 0
:
:*****  Plugin catchall (1.81 confidence) suggests   **************************
:
:If you believe that plugin-container should be allowed name_bind access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:amqp_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        plugin-containe
:Source Path                   /usr/lib64/firefox/plugin-container
:Port                          5672
:Host                          (removed)
:Source RPM Packages           firefox-31.2.0-3.el7_0.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.12.1-153.el7_0.11.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.10.0-123.8.1.el7.x86_64 #1 SMP
:                              Mon Aug 11 13:37:49 EDT 2014 x86_64 x86_64
:Alert Count                   1
:First Seen                    2014-10-22 16:58:24 CEST
:Last Seen                     2014-10-22 16:58:24 CEST
:Local ID                      f7f0b847-5ed0-4b66-9212-a8502d46cfa4
:
:Raw Audit Messages
:type=AVC msg=audit(1413989904.770:3522): avc:  denied  { name_bind } for  pid=22618 comm="plugin-containe" src=5672 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1413989904.770:3522): arch=x86_64 syscall=bind success=no exit=EACCES a0=31 a1=7ffb1d4fb360 a2=10 a3=7ffb1d4fb39c items=0 ppid=6365 pid=22618 auid=14411 uid=14411 gid=14411 euid=14411 suid=14411 fsuid=14411 egid=14411 sgid=14411 fsgid=14411 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: plugin-containe,mozilla_plugin_t,amqp_port_t,tcp_socket,name_bind

Environment

  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In