Bug 808155

Summary: SELinux is preventing nspluginviewer from 'create' accesses on the file paypalLSO.sxx.
Product: [Fedora] Fedora Reporter: Marek Paśnikowski <inbox+redhat>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:fd766f5f7ff961e991e5e3d7883cc7184ed4e5844464d46c820d096037b5913d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-29 19:33:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marek Paśnikowski 2012-03-29 17:40:14 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-5.fc17.i686
time:           Thu 29 Mar 2012 07:38:10 PM CEST

description:
:SELinux is preventing nspluginviewer from 'create' accesses on the file paypalLSO.sxx.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that nspluginviewer should be allowed create access on the paypalLSO.sxx file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep nspluginviewer /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                unconfined_u:object_r:user_home_t:s0
:Target Objects                paypalLSO.sxx [ file ]
:Source                        nspluginviewer
:Source Path                   nspluginviewer
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-106.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-5.fc17.i686 #1 SMP Fri Mar
:                              23 20:52:57 UTC 2012 i686 i686
:Alert Count                   20
:First Seen                    Thu 22 Mar 2012 04:06:40 PM CET
:Last Seen                     Thu 29 Mar 2012 07:36:55 PM CEST
:Local ID                      c1fe1aa7-87c1-429d-8fcb-3b3431734918
:
:Raw Audit Messages
:type=AVC msg=audit(1333042615.35:103): avc:  denied  { create } for  pid=2329 comm="plugin-containe" name="paypalLSO.sxx" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
:
:
:Hash: nspluginviewer,mozilla_plugin_t,user_home_t,file,create
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-03-29 17:51:32 UTC 
Do you know where it attempted to create this file?

paypalLSO.sxx

What were you doing when this happened?
Comment 2 Marek Paśnikowski 2012-03-29 17:57:58 UTC 
I received this report when I logged in to PayPal account. I have no idea how to find what the location of the file is. Reproduced using Firefox with Adobe Flash installed, on KDE desktop.
Comment 3 Daniel Walsh 2012-03-29 18:09:49 UTC 
Can you execute as root

# auditctl -w /etc/shadow

Generate the AVC again.

The grab the output of 

# ausearch -m avc -ts recent
Comment 4 Marek Paśnikowski 2012-03-29 18:15:18 UTC 
# ausearch -m avc -ts recent
----
time->Thu Mar 29 20:13:16 2012
type=AVC msg=audit(1333044796.212:135): avc:  denied  { create } for  pid=2329 comm="plugin-containe" name="paypalLSO.sxx" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
----
time->Thu Mar 29 20:13:29 2012
type=AVC msg=audit(1333044809.616:136): avc:  denied  { create } for  pid=2329 comm="plugin-containe" name="paypalLSO.sxx" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
----
time->Thu Mar 29 20:13:29 2012
type=AVC msg=audit(1333044809.622:137): avc:  denied  { create } for  pid=2329 comm="plugin-containe" name="paypalLSO.sxx" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
Comment 5 Marek Paśnikowski 2012-03-29 18:26:16 UTC 
I just noticed a weird behavior. Firefox is running the whole time. The PayPal website was closed immediately after I generated the AVC. Many minutes later, when I closed the terminal in which I run ausearch, I received the same report again...
By the way, I am not even sure now, if this file should be allowed.
Comment 6 Daniel Walsh 2012-03-29 19:13:29 UTC 
Just out of curiosity could you run 

restorecon -R -v ~/

To see if anything gets relabeled.
Comment 7 Marek Paśnikowski 2012-03-29 19:25:50 UTC 
Got over 1000 lines of output. My /home is imported from other, non-SE distribution. The error is no more. In this case, I believe this restorecon should be run during installation of Fedora. Obviously, it did not happen, so this problem emerged.
Comment 8 Daniel Walsh 2012-03-29 19:33:56 UTC 
It is very difficult to do this on an update and since you added the disk, not much we can do.