On 07/30/2017 03:56 PM, Paul Allen Newell wrote:
On 07/24/2017 01:13 AM, Bob Goodwin wrote:
> On 07/23/17 20:34, Ed Greshko wrote:
>> First, I hardly ever use firefox. I have it set up to use a network proxy for a
>> specific use case that I occasionally need. With that in mind.
>>
>> My "thought" process and diagnosis when about like this.... .... Snip
....
> +
>
> I can probably do this in the event of another similar problem and have saved this
> to my notes.
>
> Thank you
>
After going through this thread and looking at Ed's replies as to "what to
do"
(being "setsebool -P unconfined_mozilla_plugin_transition 0"), I went back to
my
"NVidia instead of nouveau" issues (which included a thread with Ed explaining
to
me some stuff I did not understand).
Ed's suggestion of "setsebool -P unconfined_mozilla_plugin_transition 0" is
exactly
what SELinux advises me to do now that I have NVidia instead of nouveau installed
when dealing with Firefox issues.
The selinux issue with the firefox plugin has no relationship to either nVidia,
nouveau, or any other video driver.
Am I to gather the this "setsebool -P unconfined_mozilla_plugin_transition 0"
suggestion pretty much is a global statement to say "*anything* that SELinux pings
in anything dealing with Firefox" will be ignored once this setsebool rule is
enacted?
No. It only has to do with the mozzilla plugin....
[root@meimei ~]# semanage boolean -l | grep mozilla_plugin_tran
unconfined_mozilla_plugin_transition (on , on) Allow unconfined users to
transition to the Mozilla plugin domain when running xulrunner plugin-container.
Which basically would control what processes can be executed by the plugin.
Not making value judgment with that statement, just trying to understand how big
the scope of that SELinux rules is. For the record, I have not granted that
exception as I have yet to see any problem with NVidia and Firefox that requires an
intervention.
I guess I'm a bit confused.
In your second paragraph you said ""setsebool -P
unconfined_mozilla_plugin_transition
0" is exactly what SELinux advises me to do now that I have NVidia instead of
nouveau
installed when dealing with Firefox issues." But now you've said " I have
not
granted that exception as I have yet to see any problem with NVidia and Firefox that
requires an intervention."
But, again, the selinux messages we're talking about here have no relationship to the
video hardware or driver in use.
You may not hit an issue so you may not need to make the change. In the case of
going to
puzzles.usatoday.com, running the flash plugin and then trying to print the
plugin isn't being allowed access to information about printers.....it would seem.
If you hit an issue that requires you change the boolean (and chances are you won't
know it unless you disable dontaudit) and you are concerned about a security risk I
would ask on the selinux mailing list. They have the expertise. I
--
Fedora Users List - The place to go to speculate endlessly