Bug 860134

Summary: SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'setattr' accesses on the file ParseLock009.
Product: [Fedora] Fedora Reporter: Dennis <dennis+redhat>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl, renich
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:2af4bb4a6e0404bb2ece95d8aaa2b6860561e58c7ede31365037fdbef22fccb2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 16:28:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Dennis 2012-09-25 04:53:46 UTC 
Additional info:
libreport version: 2.0.13
kernel:         3.5.3-1.fc17.x86_64

description:
:SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'setattr' accesses on the file ParseLock009.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that plugin-container should be allowed setattr access on the ParseLock009 file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                unconfined_u:object_r:user_tmpfs_t:s0
:Target Objects                ParseLock009 [ file ]
:Source                        plugin-containe
:Source Path                   /usr/lib64/xulrunner-2/plugin-container
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           xulrunner-15.0-2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.3-1.fc17.x86_64 #1 SMP Wed Aug
:                              29 18:46:34 UTC 2012 x86_64 x86_64
:Alert Count                   27
:First Seen                    2012-08-13 19:11:48 CDT
:Last Seen                     2012-09-24 19:28:44 CDT
:Local ID                      b58ccf76-ccea-4bdf-af5c-d14b43c2f0ec
:
:Raw Audit Messages
:type=AVC msg=audit(1348532924.213:150): avc:  denied  { setattr } for  pid=16000 comm="plugin-containe" name="ParseLock009" dev="tmpfs" ino=20043 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmpfs_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1348532924.213:150): arch=x86_64 syscall=fchmod success=no exit=EACCES a0=1b a1=1b6 a2=1b a3=0 items=0 ppid=1662 pid=16000 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: plugin-containe,mozilla_plugin_t,user_tmpfs_t,file,setattr
:
:audit2allow
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t user_tmpfs_t:file setattr;
:
:audit2allow -R
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t user_tmpfs_t:file setattr;
:
Comment 1 Dennis 2012-09-25 04:53:48 UTC 
Created attachment 616844 [details]
File: type
Comment 2 Dennis 2012-09-25 04:53:50 UTC 
Created attachment 616845 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-09-25 10:48:07 UTC 
Do you know what you were doing when this happened? Basically I am interested which apps created "ParseLock009"
Comment 4 Dennis 2012-09-25 14:53:49 UTC 
This seems to happen every time I start a hangout.  I suppose the culprit would be the google-talkplugin (currently at 3.6.1.0-1).  I installed the plugin from 

https://www.google.com/chat/video

which added

http://dl.google.com/linux/talkplugin/rpm/stable/x86_64

to my yum repos.

It's basically the same time I experience #846188.  I had hoped that that fix would resolve this issue at the same time, but I guess not.
Comment 5 Daniel Walsh 2012-09-25 19:26:42 UTC 
Does everything seem to work properly?  We could add a dontaudit for this.
Comment 6 Dennis 2012-09-26 02:51:49 UTC 
It seems to work properly, at least at first.  After using the hangout for several hours, Firefox can become unresponsive.  This error occurs basically at the start of the hangout, so I somewhat doubt that it is to blame for that problem.  However, it is the easiest to spot issue, so I kind of hope that they are related (and easy to fix :-)).
Comment 7 Daniel Walsh 2012-09-26 20:38:44 UTC 
Yes I would doubt they are related, but you could try this with mozilla_plugin_t in permissive mode and see if the slugishness continues.

semanage permissive -a mozilla_plugin_t
Comment 8 Miroslav Grepl 2012-10-17 08:01:15 UTC 
Switching to permissive mode. We added some fixes to see if they fix these issues.
Comment 9 Fedora Update System 2012-10-17 12:34:40 UTC 
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17
Comment 10 Fedora Update System 2012-10-18 00:25:53 UTC 
Package selinux-policy-3.10.0-156.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17
then log in and leave karma (feedback).
Comment 11 Renich Bon Ciric 2012-11-09 14:59:47 UTC 
I opened up a google hangout. I assume firefox is trying to use the google-talkplugin

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 12 Dennis 2012-11-23 20:34:34 UTC 
(In reply to comment #7)
> Yes I would doubt they are related, but you could try this with
> mozilla_plugin_t in permissive mode and see if the slugishness continues.
> 
> semanage permissive -a mozilla_plugin_t

I tied this and there were other SELinux warnings.  It seems like between updates to firefox, flash, google-talk-plugin, and hangout site itself, the problem has fixed itself.  Thanks for taking the time to take a look at this :-)
Comment 13 Fedora Update System 2012-12-20 16:28:41 UTC 
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.