Bug 868533
Summary: | SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from 'read' accesses on the file /proc/<pid>/status. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ernesto <equistango> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | dominick.grift, dwalsh, eblake, mgrepl, misc, yann | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:70d935236e57812fa4eb28cbf92dc27068b0e5720435ab5d564cdb94f598d96f | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-02-05 23:22:42 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Ernesto
2012-10-20 17:18:35 UTC
Created attachment 630499 [details]
File: type
Created attachment 630500 [details]
File: hashmarkername
Can you enclose the actual avc denial of this event? You can get it with : ausearch -m avc -ts today Is this useful? ausearch -m avc -ts yesterday | grep nsplu type=SYSCALL msg=audit(1350752936.874:335): arch=c000003e syscall=59 success=yes exit=0 a0=21c3250 a1=21c3190 a2=21c28c0 a3=18 items=0 ppid=2120 pid=2122 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="plugin-config" exe="/usr/lib64/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 key=(null) Not really no, This is the type=SYSCALL and i am looking for the type=AVC line instead If its not there then the event may have been silently blocked Can you reproduce this event? if so: 1. semodule -DB 2. reproduce event 3. ausearch -m avc -ts recent 4. semodule -B Then enclose the line(s) that have type=AVC instead of type=SYSCALL Thanks I tried to reproduce it and didn't happen. A few hours later I started my browser and bam! Here's the output of 'ausearch -m avc -ts today' (without the 'semodule -DB' thing before). You can see a lot of AVC, but nothing about plugin-config: ---- time->Mon Oct 22 18:38:37 2012 type=SYSCALL msg=audit(1350941917.593:161): arch=c000003e syscall=87 success=no exit=-13 a0=7fa1250fbe64 a1=7fa125ac9516 a2=7fff584b8eb0 a3=7fff584b8c20 items=0 ppid=1 pid=962 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/usr/sbin/rpcbind" subj=system_u:system_r:rpcbind_t:s0 key=(null) type=AVC msg=audit(1350941917.593:161): avc: denied { unlink } for pid=962 comm="rpcbind" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Mon Oct 22 18:38:37 2012 type=SYSCALL msg=audit(1350941917.603:166): arch=c000003e syscall=2 success=no exit=-13 a0=7fa123c9c6ea a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/usr/sbin/rpcbind" subj=system_u:system_r:rpcbind_t:s0 key=(null) type=AVC msg=audit(1350941917.603:166): avc: denied { read } for pid=972 comm="rpcbind" name="passwd" dev="sda2" ino=920640 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ---- time->Mon Oct 22 18:38:38 2012 type=SYSCALL msg=audit(1350941918.641:231): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7fff5b5fa0f0 a2=17 a3=7fff5b5f9b00 items=0 ppid=1015 pid=1024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1350941918.641:231): avc: denied { write } for pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Mon Oct 22 18:38:38 2012 type=SYSCALL msg=audit(1350941918.646:232): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1350941918.646:232): avc: denied { write } for pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Mon Oct 22 18:38:38 2012 type=SYSCALL msg=audit(1350941918.650:233): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1350941918.650:233): avc: denied { write } for pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Mon Oct 22 18:38:38 2012 type=SYSCALL msg=audit(1350941918.654:234): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1350941918.654:234): avc: denied { write } for pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Mon Oct 22 18:38:38 2012 type=SYSCALL msg=audit(1350941918.657:235): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1350941918.657:235): avc: denied { write } for pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Mon Oct 22 18:40:15 2012 type=SYSCALL msg=audit(1350942015.726:330): arch=c000003e syscall=2 success=no exit=-13 a0=274cd80 a1=c2 a2=180 a3=0 items=0 ppid=2005 pid=2097 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1350942015.726:330): avc: denied { create } for pid=2097 comm="totem-video-thu" name="registry.x86_64.bin.tmpMM6XMW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file ---- time->Mon Oct 22 18:40:15 2012 type=SYSCALL msg=audit(1350942015.727:331): arch=c000003e syscall=2 success=no exit=-13 a0=274cd80 a1=c2 a2=180 a3=1 items=0 ppid=2005 pid=2097 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1350942015.727:331): avc: denied { create } for pid=2097 comm="totem-video-thu" name="registry.x86_64.bin.tmpOC6XMW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file Yes those are not related but interesting nonetheless I suspect the mislabeled rpcbind.sock is due to systemd socket activation looks like thumb_t needs to be able to manage generic cache home files And rpcd_t needs to be able to read /etc/passwd With regard to nsplugin plugin config: Without the avc denial it is hard to determine which type of process state files it was trying to access. So not much we can do until we see the AVC denial of the event i suspect Keep an eye on your audit.log and if you see any related avc denials please let us know How do you start rpcbind? Also what is your policy version? # rpm -q selinux-policy > How do you start rpcbind? I don't know how rpcbind works, but I can guess how it's started: # systemctl | grep rpcbind rpcbind.socket loaded active listening RPCbind Server.... > rpm -q selinux-policy selinux-policy-3.11.1-36.fc18.noarch I wonder if there is a bug in /var/run/rpcbind.sock file creation. Where systemd is mislabeling it. I just checked in a fix so all files /var/run/rpcbind.* will be labeled rpcbind_var_run_t. I am thinking systemd was asking for the label of /var/run/rpcbind.sock as a file not a sock_file. Activation is supposed to label the sock file correctly. mozilla crashed, so i submitted a report to mozilla, and then selinux prevented the plugin from submitting it. Package: (null) OS Release: Fedora release 18 (Spherical Cow) Package selinux-policy-3.11.1-59.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18 then log in and leave karma (feedback). Firefox crashed and then a security alert was triggered. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |