Bug 429899
Summary: | SELinux is preventing plugin-config(/usr/lib/nspluginwrapper/plugin-config) (nsplugin_t) ... | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Zack Cerza <zcerza> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-24 19:14:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zack Cerza
2008-01-23 17:50:33 UTC
Two more. Please let me know if I should file any of these separately. host=tak type=AVC msg=audit(1201126625.483:74): avc: denied { search } for pid=16638 comm="npviewer" name="/" dev=devpts ino=1 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir host=tak type=SYSCALL msg=audit(1201126625.483:74): arch=40000003 syscall=5 success=yes exit=3 a0=80d279e a1=8802 a2=0 a3=8802 items=0 ppid=16637 pid=16638 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 comm="npviewer" exe="/bin/bash" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) host=tak type=AVC msg=audit(1201126625.468:73): avc: denied { read write } for pid=16637 comm="plugin-config" name="2" dev=devpts ino=4 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file host=tak type=SYSCALL msg=audit(1201126625.468:73): arch=40000003 syscall=11 success=yes exit=0 a0=8393540 a1=83965e8 a2=8393ea8 a3=0 items=0 ppid=16635 pid=16637 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts2 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) Two things should fix this in tonights Rawhide One, by default unconfined domains will not transition to nsplugin domain. If you want to use this domain, you need to turn on the allow_unconfined_nsplugin_transition boolean. Also the policy for nsplugin has been fixed to allow the running of flashplugin. Fixed in selinux-policy-3.2.3-19.fc9 I just installed the new selinux-policy from koji, and I saw something odd: /sbin/restorecon: stat error on /usr/lib/nspluginwrapper/npviewer.bin /usr/lib/nspluginwrapper/plugin-config: No such file or directory But the files are there: [root@tak ~]# ll /usr/lib/nspluginwrapper/plugin-config -rwsr-xr-x 1 root root 61744 2008-01-22 06:26 /usr/lib/nspluginwrapper/plugin-config [root@tak ~]# ll /usr/lib/nspluginwrapper/npviewer.bin -rwxr-xr-x 1 root root 137564 2008-01-22 06:26 /usr/lib/nspluginwrapper/npviewer.bin So I ran: [root@tak ~]# restorecon -v /usr/lib/nspluginwrapper/plugin-config restorecon reset /usr/lib/nspluginwrapper/plugin-config context system_u:object_r:nsplugin_exec_t:s0->system_u:object_r:nsplugin_config_exec_t:s0 [root@tak ~]# restorecon -v /usr/lib/nspluginwrapper/npviewer.bin restorecon reset /usr/lib/nspluginwrapper/npviewer.bin context system_u:object_r:bin_t:s0->system_u:object_r:nsplugin_exec_t:s0 And everything appears to be fixed. I'll reopen if that's not the case. Thanks! I wonder if there is a problem with fixfiles/restorecon in policycoreutils. We have just added find -print0 | restorecon -0 -f - to fixfiles which is what caused the output. |