| Summary: | SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'use' accesses on the fd /dev/null. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, eparis, mgrepl, sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:019d573e441a620948b5e81f6b3e1f60da1991caaa443962100b0886c28dd513 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-21 16:56:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
did you notice any loss of functionality here? were seeing this "fd use" in places we dont expect them. Some may be ignored (e.g. we might be able to silently deny them) Well we are looking for these in Rawhide now. We usually have the allow_domain_fd_use boolean turned on and will turn it back on when we get closer to beta. We are trying to undestand where this access is necessary and understand what it even means. Did you notice any breakage in the app? Steve any idea why mozilla_plugin_t would be using a fd owned by unconfined_dbusd_t which points to /dev/null? I have a hard time even understanding these AVC's. (In reply to comment #2) > Did you notice any breakage in the app? Not really, but it happened while I was checking the dovecot avc bugs (which *did* break login in dovecot) and I had already disabled enforcing to get to my mai Yes i did add the "fd use" for dovecot_deliver to postfix_master because that one seemed legit to me. But this one is a bit different. Fixed in release. |
SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'use' accesses on the fd /dev/null. ***** Plugin catchall_boolean (80.5 confidence) suggests ******************* If you want to allow all domains to use other domains file descriptors Then you must tell SELinux about this by enabling the 'allow_domain_fd_use' boolean. Do setsebool -P allow_domain_fd_use 1 ***** Plugin leaks (10.5 confidence) suggests ****************************** If you want to ignore plugin-container trying to use access the null fd, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/lib64/xulrunner-2/plugin-container /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (10.5 confidence) suggests *************************** If you believe that plugin-container should be allowed use access on the null fd by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0 :c0.c1023 Target Objects /dev/null [ fd ] Source plugin-containe Source Path /usr/lib64/xulrunner-2/plugin-container Port <Inconnu> Host (removed) Source RPM Packages xulrunner-2.0.1-2.fc16 Target RPM Packages Policy RPM selinux-policy-3.9.16-28.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.0-0.rc3.git0.3.fc16.x86_64 #1 SMP Tue Jun 14 17:13:27 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen mer. 15 juin 2011 21:09:09 CEST Last Seen mer. 15 juin 2011 21:09:09 CEST Local ID 56cd4259-8011-4555-a812-4515f052e882 Raw Audit Messages type=AVC msg=audit(1308164949.499:95): avc: denied { use } for pid=2703 comm="plugin-containe" path="/dev/null" dev=devtmpfs ino=5052 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd type=AVC msg=audit(1308164949.499:95): avc: denied { use } for pid=2703 comm="plugin-containe" path="/dev/null" dev=devtmpfs ino=5052 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd type=SYSCALL msg=audit(1308164949.499:95): arch=x86_64 syscall=execve success=yes exit=0 a0=7fcb5800bac8 a1=7fcb5800c210 a2=28f1010 a3=7fcb5f79d6a0 items=0 ppid=2647 pid=2703 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: plugin-containe,mozilla_plugin_t,unconfined_dbusd_t,fd,use audit2allow #============= mozilla_plugin_t ============== #!!!! This avc can be allowed using the boolean 'allow_domain_fd_use' allow mozilla_plugin_t unconfined_dbusd_t:fd use; audit2allow -R #============= mozilla_plugin_t ============== #!!!! This avc can be allowed using the boolean 'allow_domain_fd_use' allow mozilla_plugin_t unconfined_dbusd_t:fd use; No idea if it's a policy or firefox bug, looks scarry and should be fixed one way or the other anyway