Bug 485921

Summary: SELinux is preventing access to files with the label, file_t.
Product: [Fedora] Fedora Reporter: Richard Opalka <ropalka>
Component: nspluginwrapperAssignee: Martin Stransky <stransky>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: caillon, dwalsh, mcepl, stransky, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-17 15:17:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Opalka 2009-02-17 14:09:02 UTC 
Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                / [ dir ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           nspluginwrapper-1.1.10-1.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16
                              14:47:52 EST 2008 x86_64 x86_64
Alert Count                   1495
First Seen                    Tue 17 Feb 2009 02:27:29 PM CET
Last Seen                     Tue 17 Feb 2009 03:00:13 PM CET
Local ID                      cf9ea32c-7fc0-407c-8823-fcf5d901ecd1
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1234879213.354:8589): avc:  denied  { search } for  pid=4480 comm="npviewer.bin" name="/" dev=dm-0 ino=2 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir

node=localhost.localdomain type=SYSCALL msg=audit(1234879213.354:8589): arch=40000003 syscall=5 per=8 success=no exit=-13 a0=8673a00 a1=0 a2=1b6 a3=0 items=0 ppid=4085 pid=4480 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null)

------------------------------------------------
[/home/opalka][/home/opalka]>ls -lZ /usr/lib/nspluginwrapper/
drwxr-xr-x  root root system_u:object_r:lib_t:s0       .
drwxr-xr-x  root root system_u:object_r:lib_t:s0       ..
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       npconfig
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       npplayer
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       npviewer
-rwxr-xr-x  root root system_u:object_r:nsplugin_exec_t:s0 npviewer.bin
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       npwrapper.so
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       nspluginplayer
-rwsr-xr-x  root root system_u:object_r:nsplugin_config_exec_t:s0 plugin-config
[/home/opalka][/home/opalka]>ls -lZ /usr/lib/mozilla/plugins
drwxr-xr-x  root root system_u:object_r:lib_t:s0       .
drwxr-xr-x  root root system_u:object_r:lib_t:s0       ..
lrwxrwxrwx  root root unconfined_u:object_r:lib_t:s0   libflashplayer.so
[/home/opalka][/home/opalka]>
Comment 1 Richard Opalka 2009-02-17 14:12:34 UTC 
[/home/opalka][/home/opalka]>ls -lZ /usr/lib64/nspluginwrapper/
drwxr-xr-x  root root system_u:object_r:lib_t:s0       .
drwxr-xr-x  root root system_u:object_r:lib_t:s0       ..
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       libnoxshm.so
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       libxpcom.so
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       npconfig
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       npplayer
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       npviewer
-rwxr-xr-x  root root system_u:object_r:nsplugin_exec_t:s0 npviewer.bin
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       npviewer.sh
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       npwrapper.so
-rwxr-xr-x  root root system_u:object_r:lib_t:s0       nspluginplayer
-rwsr-xr-x  root root system_u:object_r:nsplugin_config_exec_t:s0 plugin-config
[/home/opalka][/home/opalka]>
Comment 2 Matěj Cepl 2009-02-17 14:14:45 UTC 
Richard is my colleague next table, and I have checked that his computer that it looks like it is setting all right.

After rather large change to the partitions etc. (encrypting /home) we had to do 'touch /.autorelabel;reboot' anyway, all files in /usr/lib*/nspluginwrapper seems to be labelled correctly, and yet this AVC denials happens whenever he opens new URL.
Comment 3 Daniel Walsh 2009-02-17 14:20:22 UTC 
I would bet there is a file in /tmp labeled file_t.

find / -context "*:file_t:*"
Comment 4 Matěj Cepl 2009-02-17 15:17:42 UTC 
OK, you are partially right -- it wasn't in /tmp, but it was misconfiguration -- /home and /home/lost+found were unlablled.