Bug 742765

Summary: SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from execute access on the arquivo /usr/lib64/mozilla/plugins/libflashplayer.so.
Product: [Fedora] Fedora Reporter: Rafael Santos <rafael>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-03 08:21:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rafael Santos 2011-10-02 16:36:02 UTC 
Description of problem:

When I try to play a video on youtube crashes firefox


How reproducible:
Install flash plugin 64 bits and play a video with firefox

Steps to Reproduce:
1. First i install flash plugin 64bits, get here: http://download.macromedia.com/pub/labs/flashplatformruntimes/flashplayer11/flashplayer11_rc1_install_lin_32_090611.tar.gz

2. I just move the file "libflashplayer.so" to /usr/lib64/mozilla/plugins

3.Open the firefox and play a video on youtube
  
log :

SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from execute access on the arquivo /usr/lib64/mozilla/plugins/libflashplayer.so.

*****  Plugin restorecon (confiança 99.5 ) sugere  ***************************

Seyou want to fix the label. 
/usr/lib64/mozilla/plugins/libflashplayer.so default label should be lib_t.
Entãoyou can run restorecon.
Faça
# /sbin/restorecon -v /usr/lib64/mozilla/plugins/libflashplayer.so

*****  Plugin catchall (confiança 1.49 ) sugere  *****************************

Seyou believe that plugin-container should be allowed execute access on the libflashplayer.so file by default.
Entãoyou should report this as a bug.
You can generate a local policy module to allow this access.
Faça
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Contexto de origem            unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Contexto de destino           unconfined_u:object_r:user_home_t:s0
Objetos de destino            /usr/lib64/mozilla/plugins/libflashplayer.so [
                              file ]
Origem                        plugin-containe
Caminho da origem             /usr/lib64/xulrunner-2/plugin-container
Porta                         <Desconhecido>
Máquina                       shanks
Pacotes RPM de origem         xulrunner-7.0-1.fc16
Pacotes RPM de destino        
RPM da política               selinux-policy-3.10.0-32.fc16
Selinux habilitado            True
Tipo de política              targeted
Modo reforçado                Enforcing
Nome da máquina               shanks
Plataforma                    Linux shanks 3.1.0-0.rc8.git0.0.fc16.x86_64 #1 SMP
                              Wed Sep 28 01:31:14 UTC 2011 x86_64 x86_64
Contador de alertas           1
Visto pela primeira vez em    Dom 02 Out 2011 13:06:20 BRT
Visto pela última vez em      Dom 02 Out 2011 13:06:20 BRT
ID local                      ca21a413-b5d9-42d5-adb4-e50acdd023b3

Mensagens de auditoria não processadas
type=AVC msg=audit(1317571580.912:165): avc:  denied  { execute } for  pid=5487 comm="plugin-containe" path="/usr/lib64/mozilla/plugins/libflashplayer.so" dev=sda1 ino=164585 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1317571580.912:165): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=15055a8 a2=5 a3=802 items=0 ppid=4736 pid=5487 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=6 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: plugin-containe,mozilla_plugin_t,user_home_t,file,execute

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_t:file execute;

audit2allow -R

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_t:file execute;





Additional info:

To solve the problem I just ran the following command as root

# /sbin/restorecon -v /usr/lib64/mozilla/plugins/libflashplayer.so

I believe that users will bother to run this command after installing the final version, so I'm reporting
Comment 1 Dominick Grift 2011-10-02 17:10:20 UTC 
The issue is that you have moved the lib from your home directory to the mozilla plugin directory. If you would have copied the file instead of move it this issue would not have happened.

But i agree. Users that stick to the default SElinux user mapping in a default installation are usually not familiar with SELinux and probably think this is some kind of bug.

Therefore we should not run anything confined for these users, as that will confront them with issues like the issue you report above.

Fedora should set "unconfined_mozilla_plugin_transition" to off by default, and maybe she will by the time Fedora 16 goes stable. Currently it is beta.

The matter is pretty complicated.

Fedora has a "unconfined" SELinux environment and it is currently the default SELinux environment for users. This environment was as far as i know designed so that (specified) users could be exempted from SELinux restriction/protection.

This unconfined SELinux environment was designed i think in Fedora 3, because when SELinux was introduced in Fedora 2 (i believe), there were only protected/restricted SELinux environments. Users were not happy by these restrictions. (i guess also because then it had rought edges)

The problem in my view is that the unconfined SELinux environment that was designed was implemented as a permanent solution to the problem described above, rather that a temporary solution, until the protected SELinux environments were better polished.

This caused problems later, as the man focus was on the unconfined SELinux environment, and by the time the restricted SELinux user environments were merged (back) in (In fedora 8) Almost no one bothered to use it, and Fedora did not force/stimulate it because they left the unconfined SELinux user environment to be the default.

And in the mean time the model was broken in the sense that Fedora started using SELinux to protect the unprotected (or confine the unconfined) by using SELinux to implement memory protection by default and other protection,

And so over time the unconfined domain became more confined and the very issues that caused Fedora to design the unconfined domain in the first place, resurfaced or were reintroduced.

Nowadays, it seems that Fedora is haunted by these earlier decisions. when policy for protecting the user space is introduced, Fedora sometimes enables it for the default unconfined users during the beta and alpha stage to expose it to a greater audience for optimal testing.

And so we encounter reports like yours, which make great sense to me. In the meantime the confined/restricted SELinux user environments are placed in second place and have lower priority.

So, its all a bit messed up in my view.

The above might not make sense to you, and others might not agree on my take on history about this matter but this is how i experience it.
Comment 2 Dominick Grift 2011-10-02 17:51:49 UTC 
tl;dr

Thanks for the report but this is not a bug.

You have a good point but Fedora 16 is in beta stage (it is not ready for general consumption yet).

By the time Fedora 16 is final this should no longer happen.

If it does, then please re-open this report.