Bug 495241

Summary: (staff_u) SELinux is preventing the firefox from using potentially mislabeled files (dbusnotify.py).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, gecko-bugs-nobody, mcepl, walters
Target Milestone: ---Keywords: Reopened, SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-14 15:00:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2009-04-10 17:27:25 UTC
Souhrn:

SELinux is preventing the firefox from using potentially mislabeled files
(dbusnotify.py).

Podrobný popis:

SELinux has denied firefox access to potentially mislabeled file(s)
(dbusnotify.py). This means that SELinux will not allow firefox to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Povolení přístupu:

If you want firefox to access this files, you need to relabel them using
restorecon -v 'dbusnotify.py'. You might want to relabel the entire directory
using restorecon -R -v ''.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 staff_u:object_r:mozilla_home_t:s0
Objekty cíle                 dbusnotify.py [ file ]
Zdroj                         firefox
Cesta zdroje                  /usr/lib64/firefox-3.1b3/firefox
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          firefox-3.1-0.11.beta3.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.10-8.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     home_tmp_bad_labels
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.1-54.fc11.x86_64 #1
                              SMP Tue Apr 7 05:26:42 EDT 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               St 8. duben 2009, 10:06:22 CEST
Naposledy viděno             St 8. duben 2009, 10:11:50 CEST
Místní ID                   8aadda79-b14f-42b2-80ab-0278a8f2d40f
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1239178310.656:45): avc:  denied  { execute } for  pid=3918 comm="firefox" name="dbusnotify.py" dev=dm-6 ino=737596 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:mozilla_home_t:s0 tclass=file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1239178310.656:45): arch=c000003e syscall=59 success=no exit=-13 a0=7f7ed23ccf78 a1=7f7ed929a380 a2=7f7eecf04400 a3=7f7edd5e8c10 items=0 ppid=3607 pid=3918 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib64/firefox-3.1b3/firefox" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-04-11 12:09:56 UTC
This looks like firefox is trying to execute a python file in your home directory under .mozilla?

This should be allowed by current Rawhide policy  if you are allowing content to be executed in your home dir.

selinux-policy-3.6.12-2.fc11.noarch

allow_staff_exec_content --> on

Comment 2 Matěj Cepl 2009-04-14 14:29:05 UTC
(In reply to comment #1)
> This looks like firefox is trying to execute a python file in your home
> directory under .mozilla?
> 
> This should be allowed by current Rawhide policy  if you are allowing content
> to be executed in your home dir.
> 
> selinux-policy-3.6.12-2.fc11.noarch
> 
> allow_staff_exec_content --> on  

Except, I have allow_staff_exec_content on. But also I have some crashes on /var (using BTRFS), could it be related?

Comment 3 Daniel Walsh 2009-04-14 15:00:28 UTC
audit2allow -w -i /tmp/t
node=viklef.ceplovi.cz type=AVC msg=audit(1239178310.656:45): avc:  denied  { execute } for  pid=3918 comm="firefox" name="dbusnotify.py" dev=dm-6 ino=737596 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:mozilla_home_t:s0 tclass=file

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

rpm -q selinux-policy
selinux-policy-3.6.12-3.fc11.noarch

# setsebool -P allow_staff_exec_content=0
# audit2allow -w -i /tmp/t
node=viklef.ceplovi.cz type=AVC msg=audit(1239178310.656:45): avc:  denied  { execute } for  pid=3918 comm="firefox" name="dbusnotify.py" dev=dm-6 ino=737596 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:mozilla_home_t:s0 tclass=file

	Was caused by:
	The boolean allow_staff_exec_content was set incorrectly. 
	Description:
	allow_staff_exec_content

	Allow access by executing:
	# setsebool -P allow_staff_exec_content 1
sh-4.0# 

I think you need to update your policy.  I don't think the btrfs problem is related.