Bug 448118

Summary: SELinux is preventing firefox from creating a file with a context of unlabeled_t on a filesystem
Product: [Fedora] Fedora Reporter: Dean Mander <knolderpoor>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-02 17:57:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dean Mander 2008-05-23 15:39:31 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.4 (like Gecko) Fedora/4.0.4-4.fc9

Description of problem:
After upgrading to
selinux-policy-3.3.1-51.fc9.noarch
selinux-policy-devel-3.3.1-51.fc9.noarch
selinux-policy-targeted-3.3.1-51.fc9.noarc
and using firefox-3.0-0.60.beta5.fc9.x86_64

I have next (pasted in section "additional information") selinux error, and
firefox doesn't startup correctly anymore.

stderr output of firefox:
Adblock plus: failed write pattern to file
<home>/.mozilla/firefox/2xkf909o.default/adblockplus/patterns.ini: [Exception...
"Component returned failure code: 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)
[nsIFileOutputStream.init]"  nsresult: "0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)" 
location: "JS frame :: chrome://adblockplus/content/prefs.js :: anonymous :: line
767"  data: no]


When I scratch my $HOME/.mozilla folder, problem is gone. But I need my personal
data :)





Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-51.fc9.noarch

How reproducible:
Always


Steps to Reproduce:
1. install described components on x86_64 
2. run firefox
3.

Actual Results:


Expected Results:


Additional info:

Summary:

SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem.

Detailed Description:

SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem. Usually this happens when you ask the cp command to maintain
the context of a file when copying between file systems, "cp -a" for example.
Not all file contexts should be maintained between the file systems. For
example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t
Target Context                system_u:object_r:fs_t
Target Objects                cookies.sqlite-journal [ filesystem ]
Source                        firefox
Source Path                   /usr/lib64/firefox-3.0b5/firefox
Port                          <Unknown>
Source RPM Packages           firefox-3.0-0.60.beta5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Platform                      Linux obelix 2.6.25.3-18.fc9.x86_64 #1 SMP Tue May
                              13 04:54:47 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Fri 23 May 2008 05:10:51 PM CEST
Last Seen                     Fri 23 May 2008 05:34:12 PM CEST
Local ID                      d8a700cf-2c6f-4dd5-830d-4050a339fbe8
Line Numbers                  

Raw Audit Messages            

host=myhostname type=AVC msg=audit(1211556852.662:254): avc:  denied  { associate
} for  pid=8993 comm="firefox" name="cookies.sqlite-journal"
scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0
tclass=filesystem

host=myhostname type=SYSCALL msg=audit(1211556852.662:254): arch=c000003e
syscall=2 success=no exit=-13 a0=2ca2c7e a1=c2 a2=1a4 a3=0 items=0 ppid=8976
pid=8993 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=pts10 ses=1 comm="firefox" exe="/usr/lib64/firefox-3.0b5/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Christian Nolte 2008-05-24 14:45:56 UTC 
I've had the same problem. I was unable to access the firefox history anymore. A
'/sbin/restorecon -Rv .mozilla' did the trick for me.
Comment 2 Daniel Walsh 2008-07-02 17:57:58 UTC 
This is an upgrade problem.  You can fix it by executing the restorecon command
above.