[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mozilla Denials Question

To: selinux@xxxxxxxxxxxxx
Subject: Mozilla Denials Question
From: Ivan Gyurdiev <ivg2@xxxxxxxxxxx>
Date: Thu, 31 Mar 2005 13:23:16 -0500
Organization: Cornell University
Reply-to: ivg2@xxxxxxxxxxx
Sender: owner-selinux@xxxxxxxxxxxxx

Ok, why does it do that? 

audit(1112171413.328:1286470): avc:  denied  { read } for  pid=2095
exe=/usr/lib/firefox-1.0.2/firefox-bin name=lokkit dev=dm-0 ino=1032605
scontext=phantom:staff_r:staff_mozilla_t
tcontext=system_u:object_r:sbin_t tclass=file
audit(1112171417.018:1304950): avc:  denied  { read } for  pid=2095
exe=/usr/lib/firefox-1.0.2/firefox-bin name=rsync dev=dm-0 ino=1032829
scontext=phantom:staff_r:staff_mozilla_t
tcontext=system_u:object_r:rsync_exec_t tclass=file

... 500 more times for every executable in /usr/bin and /usr/sbin
after attempting to add a plugin handler.

It's already a browsing app, which means we don't audit
read:dir and getattr:file and some more things, but
read:file dontaudit seems like too much.

Why does it want to read the files?

-- 
Ivan Gyurdiev <ivg2@xxxxxxxxxxx>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Prev by Date: Question about customizing apache policy.
Next by Date: Re: Desktop apps interoperability
Previous by thread: Re: Question about customizing apache policy.
Next by thread: Cron /null fd:use use denials
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.