| Summary: | SELinux is preventing /usr/libexec/totem-plugin-viewer from 'write' accesses on the sock_file /var/lib/sss/pipes/nss. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Laska <jlaska> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, jturner, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:e1409cdc8aa02d559f5d146d64289f22bfb8def8bb8679095a0b7da03f8cfeda | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-16 14:59:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 677762 *** |
My web zimbra calendar issued a meeting notification reminder. I believe it attempted to play a sound with the reminder, and this caused the AVC below. SELinux is preventing /usr/libexec/totem-plugin-viewer from 'write' accesses on the sock_file /var/lib/sss/pipes/nss. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that totem-plugin-viewer should be allowed write access on the nss sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep totem-plugin-vi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects /var/lib/sss/pipes/nss [ sock_file ] Source totem-plugin-vi Source Path /usr/libexec/totem-plugin-viewer Port <Unknown> Host (removed) Source RPM Packages totem-mozplugin-2.91.6-4.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.14-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux flatline 2.6.38-0.rc4.git7.1.fc15.x86_64 #1 SMP Mon Feb 14 01:29:48 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 16 Feb 2011 08:55:35 AM EST Last Seen Wed 16 Feb 2011 08:55:35 AM EST Local ID d0f91d87-a8f0-4a37-9de5-3fb6ddf13511 Raw Audit Messages type=AVC msg=audit(1297864535.694:435): avc: denied { write } for pid=19415 comm="totem-plugin-vi" name="nss" dev=dm-3 ino=413374 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file type=AVC msg=audit(1297864535.694:435): avc: denied { connectto } for pid=19415 comm="totem-plugin-vi" path="/var/lib/sss/pipes/nss" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1297864535.694:435): arch=x86_64 syscall=connect success=yes exit=0 a0=6 a1=7fffbf49c230 a2=6e a3=7fffbf49bf10 items=0 ppid=1 pid=19415 auid=3633 uid=3633 gid=3633 euid=3633 suid=3633 fsuid=3633 egid=3633 sgid=3633 fsgid=3633 tty=(none) ses=2 comm=totem-plugin-vi exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: totem-plugin-vi,mozilla_plugin_t,sssd_var_lib_t,sock_file,write audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t sssd_t:unix_stream_socket connectto; allow mozilla_plugin_t sssd_var_lib_t:sock_file write; audit2allow -R #============= mozilla_plugin_t ============== allow mozilla_plugin_t sssd_t:unix_stream_socket connectto; allow mozilla_plugin_t sssd_var_lib_t:sock_file write;