Bug 967161
| Summary: | SELinux is preventing /usr/lib64/xulrunner/plugin-container from 'write' accesses on the directory NewFiles. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | HaJo Schatz <hajo> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, hajo, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:5a00a5d75f41fe37ba16d339ac27f92ccb4f15ae873fc5143e3b284eecb1925a | ||
| Fixed In Version: | selinux-policy-3.10.0-170.fc17 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-06-24 03:28:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 967162 has been marked as a duplicate of this bug. *** *** Bug 967163 has been marked as a duplicate of this bug. *** Do you know which plugin caused this? Yes, it's the Garmin communicator plugin for Linux. It downloads data froma web page and tries to write them to connected Garmin navigation devices (auto-mounted to /media)
commit 15b429816c335d27b9852432fded38c222e04700
Author: Miroslav Grepl <mgrepl>
Date: Wed May 29 15:19:44 2013 +0200
Add mozilla_plugin_use_gps boolean
selinux-policy-3.10.0-170.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-170.fc17 Package selinux-policy-3.10.0-170.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-170.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-10302/selinux-policy-3.10.0-170.fc17 then log in and leave karma (feedback). Hmm, average karma... I found that the latest update seems to have introduced a bool mozilla_plugin_use_gps (off by default). After turning it on it works. But the user experience may not be a very nice one -- I'm wondering who scrolls all the way down in the SELinux report, finds the note about the bool and then figures out how to turn it on. So yes, fixed. Sort of... The alert will tell you about that. selinux-policy-3.10.0-170.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Trying to upload fitness data from connect.garmin.com to a Garmin Edge 800 SELinux is preventing /usr/lib64/xulrunner/plugin-container from 'write' accesses on the directory NewFiles. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that plugin-container should be allowed write access on the NewFiles directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:dosfs_t:s0 Target Objects NewFiles [ dir ] Source plugin-containe Source Path /usr/lib64/xulrunner/plugin-container Port <Unknown> Host (removed) Source RPM Packages xulrunner-20.0-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-169.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.12-100.fc17.x86_64 #1 SMP Wed May 8 15:36:14 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-05-25 13:35:49 KST Last Seen 2013-05-25 13:35:49 KST Local ID 4624519c-ec0e-4d11-be40-4015e74ffec9 Raw Audit Messages type=AVC msg=audit(1369456549.156:96): avc: denied { write } for pid=2334 comm="plugin-containe" name="NewFiles" dev="sdb" ino=188 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir type=SYSCALL msg=audit(1369456549.156:96): arch=x86_64 syscall=open success=no exit=EACCES a0=7fd41ee1e198 a1=241 a2=1b6 a3=7ffff4e4efc0 items=0 ppid=2265 pid=2334 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=plugin-containe exe=/usr/lib64/xulrunner/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: plugin-containe,mozilla_plugin_t,dosfs_t,dir,write audit2allow #============= mozilla_plugin_t ============== #!!!! The source type 'mozilla_plugin_t' can write to a 'dir' of the following types: # gnome_home_type, xdm_tmp_t, gnome_home_t, gconf_home_t, home_cert_t, mozilla_home_t, admin_home_t, user_home_dir_t, mplayer_home_t, mozilla_plugin_tmp_t, tmpfs_t, tmp_t, user_fonts_cache_t, user_tmp_t, mozilla_plugin_tmpfs_t, user_home_t, cache_home_t, pulseaudio_home_t, data_home_t allow mozilla_plugin_t dosfs_t:dir write; audit2allow -R #============= mozilla_plugin_t ============== #!!!! The source type 'mozilla_plugin_t' can write to a 'dir' of the following types: # gnome_home_type, xdm_tmp_t, gnome_home_t, gconf_home_t, home_cert_t, mozilla_home_t, admin_home_t, user_home_dir_t, mplayer_home_t, mozilla_plugin_tmp_t, tmpfs_t, tmp_t, user_fonts_cache_t, user_tmp_t, mozilla_plugin_tmpfs_t, user_home_t, cache_home_t, pulseaudio_home_t, data_home_t allow mozilla_plugin_t dosfs_t:dir write; Additional info: hashmarkername: setroubleshoot kernel: 3.8.12-100.fc17.x86_64 type: libreport