Bug 441486
| Summary: | Several AVC's after rawhide install and update | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tom Diehl <me> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | jkubin |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-04-08 14:33:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
SELinux will not allow you to login as root via XWindows this is a bad idea and we will not clean up the AVC's since this would cover up potential attacks. |
Description of problem:Several AVC's after rawhide install and update Version-Release number of selected component (if applicable): [root@bullwinkle bin]# rpm -qa | grep selinux selinux-policy-targeted-3.3.1-28.fc9.noarch libselinux-2.0.61-1.fc9.i386 selinux-policy-3.3.1-28.fc9.noarch libselinux-python-2.0.61-1.fc9.i386 [root@bullwinkle bin] How reproducible: Steps to Reproduce: 1. 2. 3. Actual results:Several AVC's Expected results: No Avc's Additional info:After installing rawhide I got numerous AVC's. I then updated to the latest policy and I am left with the following AVC's: Summary: SELinux is preventing the npviewer.bin from using potentially mislabeled files (/root/.mozilla/firefox/j8ftz8kh.default/.parentlock). Detailed Description: SELinux has denied npviewer.bin access to potentially mislabeled file(s) (/root/.mozilla/firefox/j8ftz8kh.default/.parentlock). This means that SELinux will not allow npviewer.bin to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want npviewer.bin to access this files, you need to relabel them using restorecon -v '/root/.mozilla/firefox/j8ftz8kh.default/.parentlock'. You might want to relabel the entire directory using restorecon -R -v '/root/.mozilla/firefox/j8ftz8kh.default'. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects /root/.mozilla/firefox/j8ftz8kh.default/.parentloc k [ file ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host bullwinkle.tntechs.com Source RPM Packages nspluginwrapper-0.9.91.5-26.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name bullwinkle.tntechs.com Platform Linux bullwinkle.tntechs.com 2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6 21:55:27 EDT 2008 i686 i686 Alert Count 1 First Seen Tue 08 Apr 2008 08:14:23 AM EDT Last Seen Tue 08 Apr 2008 08:14:23 AM EDT Local ID 8f8eebaf-d718-477d-9358-2caab5a0124e Line Numbers Raw Audit Messages host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc: denied { write } for pid=22862 comm="npviewer.bin" path="/root/.mozilla/firefox/j8ftz8kh.default/.parentlock" dev=dm-0 ino=262333 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc: denied { write } for pid=22862 comm="npviewer.bin" path="/root/.mozilla/firefox/j8ftz8kh.default/.parentlock" dev=dm-0 ino=262333 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc: denied { read } for pid=22862 comm="npviewer.bin" path="/root/.mozilla/firefox/j8ftz8kh.default/XUL.mfasl" dev=dm-0 ino=262352 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc: denied { read write } for pid=22862 comm="npviewer.bin" path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_MAP_" dev=dm-0 ino=262357 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc: denied { read write } for pid=22862 comm="npviewer.bin" path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_001_" dev=dm-0 ino=262358 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc: denied { read write } for pid=22862 comm="npviewer.bin" path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_002_" dev=dm-0 ino=262359 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc: denied { read write } for pid=22862 comm="npviewer.bin" path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_003_" dev=dm-0 ino=262360 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207656863.239:154): arch=40000003 syscall=11 success=yes exit=0 a0=8fe8458 a1=8fe2870 a2=8fe87a8 a3=0 items=0 ppid=22801 pid=22862 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing runlevel (NetworkManager_t) "write" to ./utmp (initrc_var_run_t). Detailed Description: SELinux denied access requested by runlevel. It is not expected that this access is required by runlevel and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./utmp, restorecon -v './utmp' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:initrc_var_run_t:s0 Target Objects ./utmp [ file ] Source runlevel Source Path /sbin/runlevel Port <Unknown> Host bullwinkle.tntechs.com Source RPM Packages upstart-0.3.9-15.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name bullwinkle.tntechs.com Platform Linux bullwinkle.tntechs.com 2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6 21:55:27 EDT 2008 i686 i686 Alert Count 1 First Seen Mon 07 Apr 2008 12:53:20 PM EDT Last Seen Mon 07 Apr 2008 12:53:20 PM EDT Local ID f02bf57a-2948-4d87-976d-f6f6aab48c15 Line Numbers Raw Audit Messages host=bullwinkle.tntechs.com type=AVC msg=audit(1207587200.728:27): avc: denied { write } for pid=3332 comm="runlevel" name="utmp" dev=dm-2 ino=73740 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207587200.728:27): arch=40000003 syscall=5 success=no exit=-13 a0=9812ba a1=88002 a2=8b9bf8 a3=9812c0 items=0 ppid=3331 pid=3332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runlevel" exe="/sbin/runlevel" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Summary: SELinux is preventing the Xorg from using potentially mislabeled files (./fonts.dir). Detailed Description: SELinux has denied Xorg access to potentially mislabeled file(s) (./fonts.dir). This means that SELinux will not allow Xorg to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want Xorg to access this files, you need to relabel them using restorecon -v './fonts.dir'. You might want to relabel the entire directory using restorecon -R -v '.'. Additional Information: Source Context system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects ./fonts.dir [ file ] Source Xorg Source Path /usr/bin/Xorg Port <Unknown> Host bullwinkle.tntechs.com Source RPM Packages xorg-x11-server-Xorg-1.4.99.901-17.20080401.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name bullwinkle.tntechs.com Platform Linux bullwinkle.tntechs.com 2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6 21:55:27 EDT 2008 i686 i686 Alert Count 1 First Seen Mon 07 Apr 2008 12:53:05 PM EDT Last Seen Mon 07 Apr 2008 12:53:05 PM EDT Local ID 66087dba-4059-4f8f-a9c2-eea91b3c3487 Line Numbers Raw Audit Messages host=bullwinkle.tntechs.com type=AVC msg=audit(1207587185.530:26): avc: denied { read } for pid=2778 comm="Xorg" name="fonts.dir" dev=dm-0 ino=262183 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207587185.530:26): arch=40000003 syscall=5 success=no exit=-13 a0=bfcd2b28 a1=0 a2=1b6 a3=0 items=0 ppid=2775 pid=2778 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="Xorg" exe="/usr/bin/Xorg" subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing the gdm-session-wor from using potentially mislabeled files (./root). Detailed Description: SELinux has denied gdm-session-wor access to potentially mislabeled file(s) (./root). This means that SELinux will not allow gdm-session-wor to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want gdm-session-wor to access this files, you need to relabel them using restorecon -v './root'. You might want to relabel the entire directory using restorecon -R -v './root'. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects ./root [ dir ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host bullwinkle.tntechs.com Source RPM Packages gdm-2.21.10-0.2008.04.07.1.fc9 Target RPM Packages filesystem-2.4.12-1.fc9 Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name bullwinkle.tntechs.com Platform Linux bullwinkle.tntechs.com 2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6 21:55:27 EDT 2008 i686 i686 Alert Count 4 First Seen Mon 07 Apr 2008 12:52:40 PM EDT Last Seen Mon 07 Apr 2008 12:53:02 PM EDT Local ID 983dd350-6557-4e40-b855-60810bed6ed6 Line Numbers Raw Audit Messages host=bullwinkle.tntechs.com type=AVC msg=audit(1207587182.105:25): avc: denied { write } for pid=2966 comm="gdm-session-wor" name="root" dev=dm-0 ino=262145 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207587182.105:25): arch=40000003 syscall=5 success=no exit=-13 a0=91b0a60 a1=80c2 a2=180 a3=80c2 items=0 ppid=2917 pid=2966 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)