Bug 829006
| Summary: | SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin from 'write' accesses on the file /home/richard/.nv/GLCache/c4e629e7ad097b2afebf55a6b779ec93/32fd9331b92aa1d3/149e6d932a00536e.toc. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Richard Ruhland <bugzilla.redhat> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:0b97a63ff32c504f1e01865a6d3889979acd942c727a9dce8e4997ad8e24de96 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-17 00:02:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This file should be labeled as bin_t but I guess we should allow mozilla_plugin to execute lib_t files, since there is a decent chance of mislabled. Fixed in selinux-policy-3.10.0-129.fc17 selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17 Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.7-1.fc17.x86_64 time: Di 05 Jun 2012 20:35:09 CEST description: :SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin from 'write' accesses on the file /home/richard/.nv/GLCache/c4e629e7ad097b2afebf55a6b779ec93/32fd9331b92aa1d3/149e6d932a00536e.toc. : :***** Plugin leaks (86.2 confidence) suggests ****************************** : :If sie möchten den write Zugriff von npviewer.bin,auf 149e6d932a00536e.toc file ignorieren, weil Sie glauben, dass dieser Zugriff nicht benötigt wird. :Then sie sollten dies als Fehler melden. :Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. :Do :# grep /usr/lib64/nspluginwrapper/npviewer.bin /var/log/audit/audit.log | audit2allow -D -M mypol :# semodule -i mypol.pp : :***** Plugin catchall (14.7 confidence) suggests *************************** : :If sie denken, dass npviewer.bin standardmässig erlaubt sein sollte, write Zugriff auf 149e6d932a00536e.toc file zu erhalten. :Then sie sollten dies als Fehler melden. :Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. :Do :zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: :# grep npviewer.bin /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Context unconfined_u:object_r:user_home_t:s0 :Target Objects /home/richard/.nv/GLCache/c4e629e7ad097b2afebf55a6 : b779ec93/32fd9331b92aa1d3/149e6d932a00536e.toc [ : file ] :Source npviewer.bin :Source Path /usr/lib64/nspluginwrapper/npviewer.bin :Port <Unbekannt> :Host (removed) :Source RPM Packages nspluginwrapper-1.4.4-9.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-128.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC : 2012 x86_64 x86_64 :Alert Count 1 :First Seen Di 05 Jun 2012 20:34:10 CEST :Last Seen Di 05 Jun 2012 20:34:10 CEST :Local ID 4764d91f-7ee3-43d1-b6f8-a873febb03c8 : :Raw Audit Messages :type=AVC msg=audit(1338921250.123:61): avc: denied { write } for pid=3711 comm="npviewer.bin" path="/home/richard/.nv/GLCache/c4e629e7ad097b2afebf55a6b779ec93/32fd9331b92aa1d3/149e6d932a00536e.toc" dev="dm-2" ino=3932492 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file : : :type=AVC msg=audit(1338921250.123:61): avc: denied { write } for pid=3711 comm="npviewer.bin" path="/home/richard/.nv/GLCache/c4e629e7ad097b2afebf55a6b779ec93/32fd9331b92aa1d3/149e6d932a00536e.bin" dev="dm-2" ino=3932503 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file : : :type=SYSCALL msg=audit(1338921250.123:61): arch=x86_64 syscall=execve success=yes exit=0 a0=2236be0 a1=2236ae0 a2=2239600 a3=8 items=0 ppid=1924 pid=3711 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=npviewer.bin exe=/usr/lib64/nspluginwrapper/npviewer.bin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) : :Hash: npviewer.bin,mozilla_plugin_t,user_home_t,file,write : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :