Bug 639510

Summary: SELinux is preventing /usr/libexec/totem-plugin-viewer "write" access on orbit-hicham.
Product: [Fedora] Fedora Reporter: Hicham HAOUARI <hicham.haouari>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 14CC: dwalsh, hicham.haouari, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:8807415b770336685bc14c7ff2d3bd8ee8519629a9289829d8e3e539a940760a
Fixed In Version: selinux-policy-3.9.5-10.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-05 13:09:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hicham HAOUARI 2010-10-02 00:45:23 UTC 
Summary:

SELinux is preventing /usr/libexec/totem-plugin-viewer "write" access on
orbit-hicham.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by totem-plugin-vi. It is not expected that this
access is required by totem-plugin-vi and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                orbit-hicham [ dir ]
Source                        totem-plugin-vi
Source Path                   /usr/libexec/totem-plugin-viewer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           totem-mozplugin-2.31.6-3.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.5-8.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.6-37.fc14.i686
                              #1 SMP Fri Oct 1 06:20:51 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Sat 02 Oct 2010 12:42:21 AM WET
Last Seen                     Sat 02 Oct 2010 12:42:21 AM WET
Local ID                      7fd5fa20-1ec0-4e03-b754-39ee83efccd7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1285980141.780:51): avc:  denied  { write } for  pid=3158 comm="totem-plugin-vi" name="orbit-hicham" dev=sda1 ino=278540 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1285980141.780:51): avc:  denied  { add_name } for  pid=3158 comm="totem-plugin-vi" name="linc-c56-0-548a303dbedab" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1285980141.780:51): avc:  denied  { create } for  pid=3158 comm="totem-plugin-vi" name="linc-c56-0-548a303dbedab" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file

node=(removed) type=SYSCALL msg=audit(1285980141.780:51): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfdc39a0 a2=ae0784 a3=d items=0 ppid=1 pid=3158 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="totem-plugin-vi" exe="/usr/libexec/totem-plugin-viewer" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,totem-plugin-vi,mozilla_plugin_t,user_tmp_t,dir,write
audit2allow suggests:

#============= mozilla_plugin_t ==============
#!!!! The source type 'mozilla_plugin_t' can write to a 'dir' of the following types:
# nsplugin_home_t, mozilla_plugin_tmp_t, tmpfs_t, user_fonts_cache_t, mozilla_plugin_tmpfs_t, user_home_t, gnome_home_type, tmp_t

allow mozilla_plugin_t user_tmp_t:dir { write add_name };
allow mozilla_plugin_t user_tmp_t:sock_file create;
Comment 1 Daniel Walsh 2010-10-03 11:26:21 UTC 
Fixed in selinux-policy-3.9.5-9.fc14
Comment 2 Fedora Update System 2010-10-04 19:37:23 UTC 
selinux-policy-3.9.5-10.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.5-10.fc14
Comment 3 Fedora Update System 2010-10-05 13:06:45 UTC 
selinux-policy-3.9.5-10.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.