Bug 806694

Summary: SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'write' accesses on the directory at-spi2.
Product: [Fedora] Fedora Reporter: Charles R. Anderson <cra>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: 19feet, alberto.fusari, dominick.grift, dwalsh, mgrepl, pavel.ondracka
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:5d0f2f9f88cc0a037d97771b5e37898083a983f059f57b73da39c2ebe4b0a934
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-15 19:35:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Charles R. Anderson 2012-03-26 02:32:49 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-1.fc17.x86_64
reason:         SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'write' accesses on the directory at-spi2.
time:           Sun 25 Mar 2012 10:32:30 PM EDT

description:
:SELinux is preven(removed)ing /usr/lib64/xulrunner-2/plugin-con(removed)ainer from 'wri(removed)e' accesses on (removed)he direc(removed)ory a(removed)-spi2.
:
:*****  Plugin ca(removed)chall (100. confidence) sugges(removed)s  ***************************
:
:If you believe (removed)ha(removed) plugin-con(removed)ainer should be allowed wri(removed)e access on (removed)he a(removed)-spi2 direc(removed)ory by defaul(removed).
:Then you should repor(removed) (removed)his as a bug.
:You can genera(removed)e a local policy module (removed)o allow (removed)his access.
:Do
:allow (removed)his access for now by execu(removed)ing:
:# grep plugin-con(removed)aine /var/log/audi(removed)/audi(removed).log | audi(removed)2allow -M mypol
:# semodule -i mypol.pp
:
:Addi(removed)ional Informa(removed)ion:
:Source Con(removed)ex(removed)                unconfined_u:unconfined_r:mozilla_plugin_(removed):s0-s0:c
:                              0.c1023
:Targe(removed) Con(removed)ex(removed)                sys(removed)em_u:objec(removed)_r:xdm_(removed)mp_(removed):s0
:Targe(removed) Objec(removed)s                a(removed)-spi2 [ dir ]
:Source                        plugin-con(removed)aine
:Source Pa(removed)h                   /usr/lib64/xulrunner-2/plugin-con(removed)ainer
:Por(removed)                          <Unknown>
:Hos(removed)                          (removed)
:Source RPM Packages           (removed)o(removed)em-mozplugin-3.3.90-2.fc17.x86_64
:Targe(removed) RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-104.fc17.noarch selinux-
:                              policy-3.10.0-106.fc17.noarch
:Selinux Enabled               True
:Policy Type                   (removed)arge(removed)ed
:Enforcing Mode                Enforcing
:Hos(removed) Name                     (removed)
:Pla(removed)form                      Linux (removed) 3.3.0-1.fc17.x86_64 #1 SMP Mon Mar 19
:                              03:03:39 UTC 2012 x86_64 x86_64
:Aler(removed) Coun(removed)                   10
:Firs(removed) Seen                    Sun 25 Mar 2012 10:18:26 PM EDT
:Las(removed) Seen                     Sun 25 Mar 2012 10:26:07 PM EDT
:Local ID                      0c54a5af-86ea-4ff3-897f-5df27f056693
:
:Raw Audi(removed) Messages
:(removed)ype=AVC msg=audi(removed)(1332728767.141:419): avc:  denied  { wri(removed)e } for  pid=7442 comm="(removed)o(removed)em-plugin-vi" name="a(removed)-spi2" dev="dm-1" ino=262184 scon(removed)ex(removed)=unconfined_u:unconfined_r:mozilla_plugin_(removed):s0-s0:c0.c1023 (removed)con(removed)ex(removed)=sys(removed)em_u:objec(removed)_r:xdm_(removed)mp_(removed):s0 (removed)class=dir
:
:
:(removed)ype=SYSCALL msg=audi(removed)(1332728767.141:419): arch=x86_64 syscall=bind success=no exi(removed)=EACCES a0=8 a1=7fffcebaa350 a2=25 a3=7fffcebaa040 i(removed)ems=0 ppid=1 pid=7442 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 (removed)(removed)y=(none) ses=10 comm=(removed)o(removed)em-plugin-vi exe=/usr/libexec/(removed)o(removed)em-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_(removed):s0-s0:c0.c1023 key=(null)
:
:Hash: plugin-con(removed)aine,mozilla_plugin_(removed),xdm_(removed)mp_(removed),dir,wri(removed)e
:
:audi(removed)2allowunable (removed)o open /sys/fs/selinux/policy:  Permission denied
:
:
:audi(removed)2allow -Runable (removed)o open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Miroslav Grepl 2012-03-26 14:11:47 UTC 
Could you please execute

# ausearch -m avc |grep mozilla_plugin_t
Comment 2 Pavel Ondračka 2012-05-20 08:43:42 UTC 
# ausearch -m avc |grep mozilla_plugin_t
type=AVC msg=audit(1337495227.984:393): avc:  denied  { setattr } for  pid=6043 comm="plugin-containe" name="at-spi2" dev="sda4" ino=262190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1337495227.984:394): avc:  denied  { write } for  pid=6043 comm="plugin-containe" name="at-spi2" dev="sda4" ino=262190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
Comment 3 Daniel Walsh 2012-05-21 14:04:36 UTC 
I guess we need to fix the removing of the hostname code in setroubleshoot.

Chuck did you actually see any loss of functionality, IE did the plugin seem to work ok.
Comment 4 Pavel Ondračka 2012-05-21 14:09:50 UTC 
I did not notice any functionality loss, just the selinux warning.