Bug 250249

Summary: policy for new package (nspluginwrapper)
Product: [Fedora] Fedora Reporter: Martin Stransky <stransky>
Component: nspluginwrapperAssignee: Martin Stransky <stransky>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: caillon, drepper, jakub, james_j_catchpole, jeanfrancois.brisse, katzj, ma, mcepl, mcepl, opie.reger, peldor, pezuc, phaceton, rvr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-01 04:59:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 428169    
Attachments:
Description Flags
Proposed patch to selinux-policy. I've derived it from the mozilla policy files. none

Description Martin Stransky 2007-07-31 12:51:29 UTC
Description of problem:

There's a new package nspluginwrapper in the distribution. It's used for
wrapping mozilla plugins and allows run 32-bit plugins on 64-bit system.

A configuration tool what is distributed with that package (and this package
itself) doesn't work with selinux. It needs rights to write to
/usr/lib(64)/mozilla/, executes plugins / viewer files and so on.

Version-Release number of selected component (if applicable):


How reproducible:

Install nspluginwrapper /seamonkey / firefox packages from devel.


Steps to Reproduce:
1. install / update all packages
2. run firefox / seamonkey
3.
  
Actual results:

There're many audit enties.

Expected results:


Additional info:

Comment 1 Martin Stransky 2007-07-31 12:51:29 UTC
Created attachment 160313 [details]
Proposed patch to selinux-policy. I've derived it from the mozilla policy files.

Comment 2 Daniel Walsh 2007-09-13 17:11:51 UTC
What policy are you running where you  are seeing these avc's?

Please attach the avc messages?

Comment 3 Martin Stransky 2007-09-20 09:58:03 UTC
*** Bug 297341 has been marked as a duplicate of this bug. ***

Comment 4 Martin Stransky 2007-09-20 10:19:18 UTC
Packages:

selinux-policy-mls-2.6.4-40.fc7
selinux-policy-strict-2.6.4-40.fc7
selinux-policy-targeted-2.6.4-40.fc7

From targeted:

Sep 20 11:21:02 dhcp-lab-232 kernel: audit(1190280062.886:45): avc:  denied  {
execmod } for  pid=22831 comm="npviewer.bin" na
me="nppdf.so" dev=sda1 ino=7100303 scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:object_r:lib_t:s0 tclass=file


Comment 5 Martin Stransky 2007-09-20 10:27:14 UTC
From strict:

Sep 20 12:21:32 dhcp-lab-232 kernel: audit(1190283692.804:190): avc:  denied  {
execstack } for  pid=3024 comm="npviewer.bin" scontext=user_u:user_r:user_t:s0
tcontext=user_u:user_r:user_t:s0 tclass=process

Sep 20 12:21:32 dhcp-lab-232 kernel: audit(1190283692.804:191): avc:  denied  {
execmem } for  pid=3024 comm="npviewer.bin" scontext=user_u:user_r:user_t:s0
tcontext=user_u:user_r:user_t:s0 tclass=process

Sep 20 12:21:59 dhcp-lab-232 kernel: audit(1190283719.490:192): avc:  denied  {
execmod } for  pid=3050 comm="npviewer.bin" name="nppdf.so" dev=sda1 ino=7100303
scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file


Comment 6 Daniel Walsh 2007-09-21 18:13:39 UTC
nppdf.so should not need execmod.  This is a build problem.  Also you can label
npvierwer.bin as unconfined_execmem_exec_t to get it to work in targeted policy

Does this app really need execstack and execmem to work?

Comment 7 Martin Stransky 2007-10-10 11:50:11 UTC
(In reply to comment #6)
> nppdf.so should not need execmod.  This is a build problem.  Also you can label
> npvierwer.bin as unconfined_execmem_exec_t to get it to work in targeted policy
> 
> Does this app really need execstack and execmem to work?

npvierwer.bin manually extracts symbols from loaded plugins (by dlopen/dlsym)
and runs them. Can that cause the execstack / execmem issues?

I checked the code but I have no idea what else can emit the messages....

Comment 8 Ulrich Drepper 2007-10-10 15:45:14 UTC
(In reply to comment #7)
> npvierwer.bin manually extracts symbols from loaded plugins (by dlopen/dlsym)
> and runs them. Can that cause the execstack / execmem issues?

No, there is no difference to calling the functions the traditional way.

I've explained in

http://people.redhat.com/drepper/selinux-mem.html

and the papers it references how the various errors are created.  It should be
clear that this has nothing to do with dlopen etc.

Comment 9 Martin Stransky 2007-10-11 13:00:05 UTC
There's another part what can cause it.

// Netscape exported functions
static NPNetscapeFuncs mozilla_funcs;
static const rpc_method_descriptor_t vtable[] = { ... }

$ objdump -x npviewer.bin
0000000000410120 l     O .rodata        0000000000000170 vtable.45223
0000000000614880 l     O .bss   0000000000000158 mozilla_funcs

These structures hold pointers to plugin / RPC functions, are exported to
plugins and functions there are called from them...



Comment 10 Martin Stransky 2007-11-26 22:24:16 UTC
*** Bug 388691 has been marked as a duplicate of this bug. ***

Comment 11 Martin Stransky 2007-12-13 09:42:39 UTC
*** Bug 422481 has been marked as a duplicate of this bug. ***

Comment 12 Martin Stransky 2008-01-03 11:17:00 UTC
*** Bug 426770 has been marked as a duplicate of this bug. ***

Comment 13 Martin Stransky 2008-01-03 11:17:52 UTC
*** Bug 426964 has been marked as a duplicate of this bug. ***

Comment 14 Martin Stransky 2008-01-04 22:00:02 UTC
*** Bug 292641 has been marked as a duplicate of this bug. ***

Comment 15 Martin Stransky 2008-01-08 10:29:19 UTC
*** Bug 427967 has been marked as a duplicate of this bug. ***

Comment 16 Matěj Cepl 2008-01-08 21:01:02 UTC
*** Bug 428025 has been marked as a duplicate of this bug. ***

Comment 17 Martin Stransky 2008-02-19 17:21:29 UTC
*** Bug 398621 has been marked as a duplicate of this bug. ***

Comment 18 Martin Stransky 2008-02-20 07:53:04 UTC
*** Bug 431446 has been marked as a duplicate of this bug. ***

Comment 19 Antonio A. Olivares 2008-02-27 13:11:01 UTC
Should this be also considered part of this bug?


Summary:

SELinux is preventing plugin-config (nsplugin_config_t) "execstack" to <Unknown>
(nsplugin_config_t).

Detailed Description:

SELinux denied access requested by plugin-config. It is not expected that this
access is required by plugin-config and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_config_t
                              :SystemLow-SystemHigh
Target Context                unconfined_u:unconfined_r:nsplugin_config_t
                              :SystemLow-SystemHigh
Target Objects                None [ process ]
Source                        plugin-config
Source Path                   /usr/lib/nspluginwrapper/plugin-config
Port                          <Unknown>
Host                          localhost
Source RPM Packages           nspluginwrapper-0.9.91.5-22.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.0-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost
Platform                      Linux localhost 2.6.25-0.65.rc2.git7.fc9 #1 SMP
                              Sat Feb 23 23:06:09 EST 2008 i686 athlon
Alert Count                   4
First Seen                    Tue 26 Feb 2008 03:17:23 PM CST
Last Seen                     Wed 27 Feb 2008 06:44:46 AM CST
Local ID                      276820c9-9871-4632-8ec1-c8909c8d7c0b
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1204116286.116:403): avc:  denied  { execstack
} for  pid=8821 comm="plugin-config"
scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tclass=process

host=localhost type=SYSCALL msg=audit(1204116286.116:403): arch=40000003
syscall=125 success=no exit=-13 a0=bfbf3000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=8819 pid=8821 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="plugin-config"
exe="/usr/lib/nspluginwrapper/plugin-config"
subj=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 key=(null)


and/or also the nptviewer?


Summary:

SELinux is preventing npviewer.bin (nsplugin_t) "read" to controlC0
(sound_device_t).

Detailed Description:

SELinux denied access requested by npviewer.bin. It is not expected that this
access is required by npviewer.bin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for controlC0,

restorecon -v 'controlC0'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:sound_device_t
Target Objects                controlC0 [ chr_file ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          localhost
Source RPM Packages           nspluginwrapper-0.9.91.5-22.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.0-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost
Platform                      Linux localhost 2.6.25-0.65.rc2.git7.fc9 #1 SMP
                              Sat Feb 23 23:06:09 EST 2008 i686 athlon
Alert Count                   176
First Seen                    Tue 26 Feb 2008 03:24:34 PM CST
Last Seen                     Tue 26 Feb 2008 03:24:47 PM CST
Local ID                      469b1532-4ab3-4757-be58-2248cc0f9f05
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1204061087.213:287): avc:  denied  { read }
for  pid=20571 comm="npviewer.bin" name="controlC0" dev=tmpfs ino=5318
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file

host=localhost type=SYSCALL msg=audit(1204061087.213:287): arch=40000003
syscall=5 success=no exit=-13 a0=bfe5d482 a1=0 a2=1e a3=bfe5d482 items=0
ppid=20512 pid=20571 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin"
exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)




I ask this in order for them not be duplicate bugs :)  Also, ntpviewer does not
exist in bugzilla.  Please let me know if I should file a new bug and against
what component(s).

Thanks,

Antonio 



Comment 20 Matěj Cepl 2008-03-31 21:19:05 UTC
*** Bug 439886 has been marked as a duplicate of this bug. ***

Comment 21 Matěj Cepl 2008-03-31 21:19:22 UTC
*** Bug 439885 has been marked as a duplicate of this bug. ***

Comment 22 Matěj Cepl 2008-03-31 21:20:10 UTC
*** Bug 437508 has been marked as a duplicate of this bug. ***

Comment 23 Daniel Walsh 2008-04-01 04:59:43 UTC
Fixed in selinux-policy-3.3.1-26.fc9.noarch