Bug 865328
| Summary: | SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from 'getattr' accesses on the filesystem /. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Armando <pr.armandosilva> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | adesarajaydeep, dan, demian.gemperli, dominick.grift, dwalsh, gilbert_pieris2000, ipaitoo, johan.o.hedin, long, mchauber, mgrepl | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:72842236bf14eac8ff1c4db6ed4c807c3c990cfc7083e6891a64696a88c35791 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-12-20 15:54:59 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 625414 [details]
File: type
Created attachment 625415 [details]
File: hashmarkername
I just allowed this in F18. I started firefox after it was updated. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17 Package selinux-policy-3.10.0-156.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17 then log in and leave karma (feedback). Every time I open Firefox, SELinux reports this error. Firefox seems to work fine when I ignore it, so I'm not sure what is going on. Flash seems to work fine as well. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Just to update: # yum -C list installed firefox* selinux-policy* nsplugin* flash-plugin* Loaded plugins: langpacks, presto, refresh-packagekit, security Installed Packages firefox.x86_64 16.0.1-1.fc17 @updates flash-plugin.i386 11.2.202.243-release @adobe-linux-i386 nspluginwrapper.i686 1.4.4-12.fc17 @updates nspluginwrapper.x86_64 1.4.4-12.fc17 @updates selinux-policy.noarch 3.10.0-156.fc17 @updates-testing selinux-policy-devel.noarch 3.10.0-156.fc17 @updates-testing selinux-policy-targeted.noarch 3.10.0-156.fc17 @updates-testing That said, the updates from the test repository did not make any difference (tested after reboot just to make sure, but same thing). Thanks. I can also verify that this bug is _not_ fixed in selinux-policy-3.10.0-156.fc17.
Even though you normally see this when starting firefox, the issue is with the nspluginwrapper package (currently at 1.4.4-12 in Fedora 17).
This is what happens:
When you start firefox you run the script /usr/bin/firefox. This script checks if nspluginwrapper is installed by checking for the presence of /usr/bin/mozilla-plugin-config. If it is present it runs it.
mozilla-plugin-config in turn belongs to the nspluginwrapper package and is a script that runs the binary /usr/lib64/nspluginwrapper/plugin-config. This binary has the label mozilla_plugin_config_exec_t so I guess that this in turn transitions plugin-config to mozilla_plugin_t when executed.
plugin-config in turn seem to run /usr/lib64/nspluginwrapper/npconfig which is what show up in the SELinux alerts.
The reason to run mozilla-plugin-config in the first place is so that newly added firefox plugins is linked/wrapped properly before firefox starts. You can also run mozilla-plugin-config from the command line and get exactly the same SELinux error.
This error does not seem to affect the function of nspluginwrapper but is of course an annoyance as you see it every time you start firefox.
Creating a selinux module as suggested by SETroubleshhot and loading it "fixes" the problem an I don't see any more SElinux alerts with respect to this specific issue.
Just to be complete, below is what SETroubleshoot says both when I start firefox or when I run mozilla-plugin-config from the command line:
SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from getattr access on the filesystem /.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that npconfig should be allowed getattr access on the filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep npconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:mozilla_plugin_config_t:
s0-s0:c0.c1023
Target Context system_u:object_r:fs_t:s0
Target Objects / [ filesystem ]
Source npconfig
Source Path /usr/lib64/nspluginwrapper/npconfig
Port <Unknown>
Host zeuse
Source RPM Packages nspluginwrapper-1.4.4-12.fc17.x86_64
Target RPM Packages filesystem-3-2.fc17.x86_64
Policy RPM selinux-policy-3.10.0-156.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name zeuse
Platform Linux zeuse 3.6.2-4.fc17.x86_64 #1 SMP Wed Oct 17
02:43:21 UTC 2012 x86_64 x86_64
Alert Count 1
First Seen 2012-10-20 12:32:51 CEST
Last Seen 2012-10-20 12:32:51 CEST
Local ID 5bddccab-f1ef-4cdd-b99d-1b3f43a6106a
Raw Audit Messages
type=AVC msg=audit(1350729171.548:71): avc: denied { getattr } for pid=1658 comm="npconfig" name="/" dev="dm-1" ino=2 scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1350729171.548:71): arch=x86_64 syscall=fstatfs success=no exit=EACCES a0=3 a1=7fff0201add0 a2=0 a3=ffffffff items=0 ppid=1643 pid=1658 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=1 comm=npconfig exe=/usr/lib64/nspluginwrapper/npconfig subj=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 key=(null)
Hash: npconfig,mozilla_plugin_config_t,fs_t,filesystem,getattr
audit2allow
#============= mozilla_plugin_config_t ==============
allow mozilla_plugin_config_t fs_t:filesystem getattr;
audit2allow -R
#============= mozilla_plugin_config_t ==============
allow mozilla_plugin_config_t fs_t:filesystem getattr;
I see it now. This is about mozilla_plugin_config_t but we have a fix for mozilla_plugin_t Added.
commit 8cf9be24ec7f1c2d4a8041eb5cddd7c6c7958900
Author: Miroslav Grepl <mgrepl>
Date: Mon Oct 22 10:49:50 2012 +0200
Allow mozilla-plugin-config to getattr on all fs
I'm trying to create a openvpn connection and selinux keeps giving errors. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17 Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback). Problem fixed for me with the update in the testing repo. Positive karma given. BTW, has this fix found its way into the Fedora 18 policy as well? I see from the early comment from Dan that Fedora 18 will allow this, but since it took two rounds to get this right in Fedora 17 I'm just checking. Good work anyway! I concur; the issue is resolved for me as well. This is awesome! Thank you! :) We work in the latest release and back port. selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
Additional info: libreport version: 2.0.14 kernel: 3.5.6-1.fc17.x86_64 description: :SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from 'getattr' accesses on the filesystem /. : :***** Plugin catchall (100. confidence) suggests *************************** : :If você acredita que o npconfig deva ser permitido acesso de getattr em filesystem por default. :Then você precisa reportar este como um erro. :Você pode gerar um módulo de política local para permitir este acesso. :Do :permitir este acesso agora executando: :# grep npconfig /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_config_t: : s0-s0:c0.c1023 :Target Context system_u:object_r:fs_t:s0 :Target Objects / [ filesystem ] :Source npconfig :Source Path /usr/lib64/nspluginwrapper/npconfig :Port <Desconhecido> :Host (removed) :Source RPM Packages nspluginwrapper-1.4.4-12.fc17.x86_64 :Target RPM Packages filesystem-3-2.fc17.x86_64 :Policy RPM selinux-policy-3.10.0-149.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.5.6-1.fc17.x86_64 #1 SMP Sun Oct : 7 19:31:14 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2012-10-11 05:56:27 BRT :Last Seen 2012-10-11 05:56:27 BRT :Local ID efc6c728-f3f1-4f1b-b682-de1b769f76ff : :Raw Audit Messages :type=AVC msg=audit(1349945787.427:87): avc: denied { getattr } for pid=3206 comm="npconfig" name="/" dev="dm-1" ino=2 scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem : : :type=SYSCALL msg=audit(1349945787.427:87): arch=x86_64 syscall=fstatfs success=yes exit=0 a0=3 a1=7fff633a3b80 a2=0 a3=7fff633a38f0 items=0 ppid=3189 pid=3206 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=npconfig exe=/usr/lib64/nspluginwrapper/npconfig subj=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 key=(null) : :Hash: npconfig,mozilla_plugin_config_t,fs_t,filesystem,getattr : :audit2allow : :#============= mozilla_plugin_config_t ============== :allow mozilla_plugin_config_t fs_t:filesystem getattr; : :audit2allow -R : :#============= mozilla_plugin_config_t ============== :allow mozilla_plugin_config_t fs_t:filesystem getattr; :