Bug 429899
| Summary: | SELinux is preventing plugin-config(/usr/lib/nspluginwrapper/plugin-config) (nsplugin_t) ... | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zack Cerza <zcerza> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-24 19:14:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Two more. Please let me know if I should file any of these separately.
host=tak type=AVC msg=audit(1201126625.483:74): avc: denied { search } for
pid=16638 comm="npviewer" name="/" dev=devpts ino=1
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=system_u:object_r:devpts_t:s0 tclass=dir
host=tak type=SYSCALL msg=audit(1201126625.483:74): arch=40000003 syscall=5
success=yes exit=3 a0=80d279e a1=8802 a2=0 a3=8802 items=0 ppid=16637 pid=16638
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=pts2 comm="npviewer" exe="/bin/bash"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
host=tak type=AVC msg=audit(1201126625.468:73): avc: denied { read write } for
pid=16637 comm="plugin-config" name="2" dev=devpts ino=4
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file
host=tak type=SYSCALL msg=audit(1201126625.468:73): arch=40000003 syscall=11
success=yes exit=0 a0=8393540 a1=83965e8 a2=8393ea8 a3=0 items=0 ppid=16635
pid=16637 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500
fsgid=500 tty=pts2 comm="plugin-config"
exe="/usr/lib/nspluginwrapper/plugin-config"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Two things should fix this in tonights Rawhide One, by default unconfined domains will not transition to nsplugin domain. If you want to use this domain, you need to turn on the allow_unconfined_nsplugin_transition boolean. Also the policy for nsplugin has been fixed to allow the running of flashplugin. Fixed in selinux-policy-3.2.3-19.fc9 I just installed the new selinux-policy from koji, and I saw something odd: /sbin/restorecon: stat error on /usr/lib/nspluginwrapper/npviewer.bin /usr/lib/nspluginwrapper/plugin-config: No such file or directory But the files are there: [root@tak ~]# ll /usr/lib/nspluginwrapper/plugin-config -rwsr-xr-x 1 root root 61744 2008-01-22 06:26 /usr/lib/nspluginwrapper/plugin-config [root@tak ~]# ll /usr/lib/nspluginwrapper/npviewer.bin -rwxr-xr-x 1 root root 137564 2008-01-22 06:26 /usr/lib/nspluginwrapper/npviewer.bin So I ran: [root@tak ~]# restorecon -v /usr/lib/nspluginwrapper/plugin-config restorecon reset /usr/lib/nspluginwrapper/plugin-config context system_u:object_r:nsplugin_exec_t:s0->system_u:object_r:nsplugin_config_exec_t:s0 [root@tak ~]# restorecon -v /usr/lib/nspluginwrapper/npviewer.bin restorecon reset /usr/lib/nspluginwrapper/npviewer.bin context system_u:object_r:bin_t:s0->system_u:object_r:nsplugin_exec_t:s0 And everything appears to be fixed. I'll reopen if that's not the case. Thanks! I wonder if there is a problem with fixfiles/restorecon in policycoreutils. We have just added find -print0 | restorecon -0 -f - to fixfiles which is what caused the output. |
Description of problem: Three denials here happened simultaneously as I started up Firefox. Version-Release number of selected component (if applicable): firefox-3.0-0.beta2.12.nightly20080121.fc9.i386 nspluginwrapper-0.9.91.5-21.fc9.i386 selinux-policy-targeted-3.2.5-17.fc9.noarch Additional info: host=tak type=AVC msg=audit(1201110307.763:22): avc: denied { sys_nice } for pid=3649 comm="plugin-config" capability=23 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=capability host=tak type=AVC msg=audit(1201110307.763:22): avc: denied { setsched } for pid=3649 comm="plugin-config" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=process host=tak type=SYSCALL msg=audit(1201110307.763:22): arch=40000003 syscall=156 success=yes exit=0 a0=e41 a1=0 a2=bfb50804 a3=b7f086c0 items=0 ppid=3647 pid=3649 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) host=tak type=AVC msg=audit(1201110307.762:21): avc: denied { getsched } for pid=3649 comm="plugin-config" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=process host=tak type=SYSCALL msg=audit(1201110307.762:21): arch=40000003 syscall=155 success=yes exit=0 a0=e41 a1=b7f088cc a2=4a5aff4 a3=b7f086c0 items=0 ppid=3647 pid=3649 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) host=tak type=AVC msg=audit(1201110307.763:23): avc: denied { create } for pid=3649 comm="plugin-config" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=tcp_socket host=tak type=SYSCALL msg=audit(1201110307.763:23): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bfb507f0 a2=4e3b5d4 a3=13a76bc items=0 ppid=3647 pid=3649 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)