Bug 469092

Summary:	SELinux is preventing soffice (nsplugin_t) "getattr" to /usr/lib/openoffice.org/ure/bin/javaldx (java_exec_t).
Product:	[Fedora] Fedora	Reporter:	Alex Chiang <achiang>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	10	CC:	ahughes, bashton, dwalsh, jkubin, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-01-08 18:35:33 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alex Chiang 2008-10-29 20:34:53 UTC

Summary:

SELinux is preventing soffice (nsplugin_t) "getattr" to
/usr/lib/openoffice.org/ure/bin/javaldx (java_exec_t).

Detailed Description:

SELinux denied access requested by soffice. It is not expected that this access
is required by soffice and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/lib/openoffice.org/ure/bin/javaldx,

restorecon -v '/usr/lib/openoffice.org/ure/bin/javaldx'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:java_exec_t:s0
Target Objects                /usr/lib/openoffice.org/ure/bin/javaldx [ file ]
Source                        soffice
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ethanol
Source RPM Packages           bash-3.2-28.fc10
Target RPM Packages           openoffice.org-ure-3.0.0-9.6.fc10
Policy RPM                    selinux-policy-3.5.13-8.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     ethanol
Platform                      Linux ethanol 2.6.27.4-58.fc10.i686 #1 SMP Mon Oct
                              27 18:21:44 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 29 Oct 2008 02:32:23 PM MDT
Last Seen                     Wed 29 Oct 2008 02:32:23 PM MDT
Local ID                      5feff58a-6060-4e1a-a64d-0644196bcecd
Line Numbers                  

Raw Audit Messages            

node=ethanol type=AVC msg=audit(1225312343.322:233): avc:  denied  { getattr } for  pid=17488 comm="soffice" path="/usr/lib/openoffice.org/ure/bin/javaldx" dev=dm-0 ino=2449904 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=file

node=ethanol type=SYSCALL msg=audit(1225312343.322:233): arch=40000003 syscall=195 success=no exit=-13 a0=9c24310 a1=bfe2d4bc a2=c54ff4 a3=9c24312 items=0 ppid=17487 pid=17488 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=18 comm="soffice" exe="/bin/bash" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-10-30 18:28:43 UTC

nsplugin should not be attempring to run openoffice.  openoffice should not run within an nsplugin wrapper.  Did you set this up or is there some package that is trying to do this?

Comment 2 Daniel Walsh 2008-10-30 18:29:35 UTC

*** Bug 469094 has been marked as a duplicate of this bug. ***

Comment 3 Alex Chiang 2008-10-30 18:48:31 UTC

I didn't set up anything manually; I just accepted whatever defaults come when you install F10/rawhide.

The reason I got the message was that someone sent me a URL that pointed at a Word document. I simply pasted the url into my browser (ff3) and then got those SELinux alerts.

Is there any sort of debugging or package list you'd like me to provide?

Comment 4 Daniel Walsh 2008-10-30 19:06:38 UTC

rpm -qa \*plug\*

Comment 5 Alex Chiang 2008-10-30 20:02:34 UTC

gstreamer-plugins-farsight-0.12.9-3.fc10.i386
plymouth-plugin-solar-0.6.0-0.2008.10.27.5.fc10.i386
gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.i386
anaconda-yum-plugins-1.0-3.fc10.noarch
nspluginwrapper-1.1.2-4.fc10.i386
gstreamer-plugins-good-0.10.11-1.fc10.i386
flash-plugin-9.0.124.0-release.i386
totem-mozplugin-2.24.3-1.fc10.i386
PackageKit-yum-plugin-0.3.9-1.fc10.i386
alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.i386
plymouth-plugin-label-0.6.0-0.2008.10.27.5.fc10.i386
plymouth-plugin-spinfinity-0.6.0-0.2008.10.27.5.fc10.i386
PackageKit-gstreamer-plugin-0.3.9-1.fc10.i386
mozplugger-1.10.1-3.fc10.i386
libmodplug-0.8.4-3.fc9.i386
gstreamer-plugins-base-0.10.21-2.fc10.i386
setroubleshoot-plugins-2.0.10-1.fc10.noarch
java-1.6.0-openjdk-plugin-1.6.0.0-1.1.b12.fc10.i386

Comment 6 Brennan Ashton 2008-11-04 04:50:56 UTC

This bug has been triaged

Comment 7 Daniel Walsh 2008-11-04 13:30:26 UTC

The problem is mozplugger wants to run a whole bunch of the desktop under nspluginwrapper.  (openoffice, evince, totem...)  nsplugin_t is not allowing desktop apps to run.  You have two choices, either remove the mozplugger rpm, or at least openoffice from /etc/mozpluggerrc

rpm -e mozplugger

Or turn off SELinux protection over nsplugin.

setsebool -P allow_unconfined_nsplugin_transition 0

Comment 8 Daniel Walsh 2008-11-04 13:47:44 UTC

*** Bug 469095 has been marked as a duplicate of this bug. ***

Comment 9 Andrew John Hughes 2008-11-12 15:07:49 UTC

This somehow seems to be the default setup after upgrading to Fedora 10 from Fedora 9.  Loading OpenOffice documents from the browser working with F9 but is broken after upgrading to F10 with the same SELinux denial(s) shown above.  I've now removed mozplugger and will see if this makes a difference when the browser is next restarted. I don't know why nspluginwrapper is installed when every plugin should be 64-bit.

$ rpm -qa \*plug\*
java-1.6.0-openjdk-plugin-1.6.0.0-2b12.fc10.x86_64
PackageKit-yum-plugin-0.3.9-4.fc10.x86_64
alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.x86_64
gstreamer-plugins-base-0.10.21-2.fc10.x86_64
nspluginwrapper-1.1.2-4.fc10.x86_64
plymouth-plugin-spinfinity-0.6.0-0.2008.10.30.4.fc10.x86_64
anaconda-yum-plugins-1.0-3.fc10.noarch
totem-mozplugin-2.24.3-1.fc10.x86_64
plymouth-plugin-solar-0.6.0-0.2008.10.30.4.fc10.x86_64
setroubleshoot-plugins-2.0.10-1.fc10.noarch
plymouth-plugin-label-0.6.0-0.2008.10.30.4.fc10.x86_64
gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.x86_64
gstreamer-plugins-good-0.10.11-1.fc10.x86_64
libmodplug-0.8.4-3.fc9.x86_64
maven-shared-plugin-testing-harness-1.0-4.6.fc10.x86_64
PackageKit-gstreamer-plugin-0.3.9-4.fc10.x86_64

Comment 10 Bug Zapper 2008-11-26 04:27:57 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping