Bug 834864
| Summary: | SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'create' accesses on the file .execooooKnBTH. | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Odysseys <odysseys> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 17 | CC: | antonio.montagnani, dominick.grift, dwalsh, mgrepl, utilitymail | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Unspecified | |||
| Whiteboard: | abrt_hash:a8b09735db73c2088872cfa334dc942afeffa9c006747924b05c9cec884b7d0c | |||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 835301 (view as bug list) | Environment: | ||
| Last Closed: | 2012-06-25 20:55:37 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 835301 | |||
If you want to run mozplugin you have to disable SELinux enforcement. So either yum remove mozplugger or setsebool -P unconfined_mozilla_plugin_transition 0 Selinux troubleshooter says that plugins from the browser do not have permission to write to the users home directory. This is most likely a good thing. I've not had a problem leaving this alone with mozplugger. This is a curious case since anything done via plugin should be denied. The last two lines which have been blocked in your selinux troubleshooter for some reason are as follows. That would be better than the boolean but not by much. What should happen is the plugin creator work with Fedora to have it's own directory for writes in the user directory. It's much more complicated and probably will not happen. I've been looking to see if it's possible to allow by binary name, still not optimal though. #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_dir_t:file create; audit2allow -R #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_dir_t:file create; *** Bug 907017 has been marked as a duplicate of this bug. *** |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.2-4.fc17.x86_64 time: su 24. kesäkuuta 2012 15.13.27 description: :SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'create' accesses on the file .execooooKnBTH. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that soffice.bin should be allowed create access on the .execooooKnBTH file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep soffice.bin /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Context unconfined_u:object_r:user_home_dir_t:s0 :Target Objects .execooooKnBTH [ file ] :Source soffice.bin :Source Path /usr/lib64/libreoffice/program/soffice.bin :Port <Tuntematon> :Host (removed) :Source RPM Packages libreoffice-core-3.5.4.2-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-130.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.4.2-4.fc17.x86_64 #1 SMP Thu : Jun 14 22:22:05 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen su 24. kesäkuuta 2012 15.11.23 :Last Seen su 24. kesäkuuta 2012 15.11.23 :Local ID 67f733ea-92bd-4a96-8537-f3569ba4ea38 : :Raw Audit Messages :type=AVC msg=audit(1340539883.402:120): avc: denied { create } for pid=3280 comm="soffice.bin" name=".execooooKnBTH" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file : : :type=SYSCALL msg=audit(1340539883.402:120): arch=x86_64 syscall=open success=no exit=EACCES a0=2e28f30 a1=c2 a2=180 a3=d15df8e1be items=0 ppid=3266 pid=3280 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=soffice.bin exe=/usr/lib64/libreoffice/program/soffice.bin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) : :Hash: soffice.bin,mozilla_plugin_t,user_home_dir_t,file,create : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :