Bug 496243

Summary: SELinux is preventing the evince from using potentially mislabeled files (.recently-used.xbel).
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-18 04:20:24 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Ruben Kerkhof 2009-04-17 10:09:56 EDT

SELinux is preventing the evince from using potentially mislabeled files

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied evince access to potentially mislabeled file(s)
(.recently-used.xbel). This means that SELinux will not allow evince to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want evince to access this files, you need to relabel them using
restorecon -v '.recently-used.xbel'. You might want to relabel the entire
directory using restorecon -R -v ''.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                .recently-used.xbel [ file ]
Source                        evince
Source Path                   /usr/bin/evince
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           evince-2.26.1-1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-4.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                     #1 SMP Mon Apr 13 14:16:25
                              EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 17 Apr 2009 03:56:14 PM CEST
Last Seen                     Fri 17 Apr 2009 03:56:14 PM CEST
Local ID                      111f82c5-849c-41c7-8253-6ddc8f5809f6
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1239976574.565:68): avc:  denied  { unlink } for  pid=3627 comm="evince" name=".recently-used.xbel" dev=dm-1 ino=386018 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1239976574.565:68): arch=c000003e syscall=82 success=yes exit=0 a0=c7b250 a1=9950c0 a2=bc2b90 a3=1 items=0 ppid=3626 pid=3627 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="evince" exe="/usr/bin/evince" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-04-17 11:07:01 EDT
If you want to use nsplugin you can not use mozplugger with the evince/ooffice plugin.

Or you can turn off the nsplugin transition

setsebool -P allow_unconfined_nsplugin_transition 1
Comment 2 Ruben Kerkhof 2009-04-18 04:20:24 EDT
Ah, sorry about that. I didn't realize mozplugger was the culprit.