Bug 691467

Summary: SELinux is preventing /sbin/consoletype from 'write' accesses on the file /home/john/.mozilla/firefox/lybrs0rk.default/.parentlock.
Product: [Fedora] Fedora Reporter: John <jth4375>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:8d693db54873678faad72c54c186b1922d8a78ebda3e13e21ebd2f65681fc2c3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-17 09:06:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John 2011-03-28 16:02:44 UTC
SELinux is preventing /sbin/consoletype from 'write' accesses on the file /home/(removed)/.mozilla/firefox/lybrs0rk.default/.parentlock.

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore consoletype trying to write access the .parentlock file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that consoletype should be allowed write access on the .parentlock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:consoletype_t:s0
Target Context                unconfined_u:object_r:mozilla_home_t:s0
Target Objects                /home/(removed)/.mozilla/firefox/lybrs0rk.default/.pare
                              ntlock [ file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           initscripts-9.20.2-1.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.i686 #1 SMP Mon Feb 7
                              07:04:18 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Mon 28 Mar 2011 04:54:58 PM BST
Last Seen                     Mon 28 Mar 2011 04:54:59 PM BST
Local ID                      1bb469ba-5a55-4955-872c-cade33eff0f4

Raw Audit Messages
type=AVC msg=audit(1301327699.137:28249): avc:  denied  { write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/.parentlock" dev=dm-2 ino=1573288 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read } for  pid=3254 comm="consoletype" path="/dev/urandom" dev=devtmpfs ino=4037 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/XUL.mfasl" dev=dm-2 ino=1573364 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="socket:[358983]" dev=sockfs ino=358983 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_MAP_" dev=dm-2 ino=1575073 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_001_" dev=dm-2 ino=1575094 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_002_" dev=dm-2 ino=1575097 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_003_" dev=dm-2 ino=1575100 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/XPC.mfasl" dev=dm-2 ino=1573291 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=SYSCALL msg=audit(1301327699.137:28249): arch=i386 syscall=execve success=yes exit=0 a0=950a4d0 a1=950af00 a2=950af90 a3=950af00 items=0 ppid=3253 pid=3254 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=consoletype exe=/sbin/consoletype subj=unconfined_u:system_r:consoletype_t:s0 key=(null)

Hash: consoletype,consoletype_t,mozilla_home_t,file,write

audit2allow

#============= consoletype_t ==============
allow consoletype_t mozilla_home_t:file { write read };
allow consoletype_t unconfined_t:tcp_socket { read write };
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow consoletype_t urandom_device_t:chr_file read;

audit2allow -R

#============= consoletype_t ==============
allow consoletype_t mozilla_home_t:file { write read };
allow consoletype_t unconfined_t:tcp_socket { read write };
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow consoletype_t urandom_device_t:chr_file read;

Comment 1 Miroslav Grepl 2011-03-29 11:44:33 UTC
What tool were you using when this happened?