Bug 970781

Summary: mozilla-plugin-config fails to execute plugin-config
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh, goeran
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-52.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-15 03:07:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2013-06-04 21:09:59 UTC 
Description of problem:
When I ran "mozilla-plugin-config" after updating my plugins I got the error message

/usr/bin/mozilla-plugin-config: line 72: /usr/lib64/nspluginwrapper/plugin-config: Permission denied

It seems to be SELinux related somehow; if I do "setenforce Permissive" it goes away.  But an "ausearch -m avc" does not report any AVC:s.  Not even after I do "semanage dontaudit on"!  I don't understand what is going on.

Version-Release number of selected component (if applicable):
nspluginwrapper-1.4.4-17.fc19.x86_64
nspluginwrapper-1.4.4-17.fc19.i686
selinux-policy-targeted-3.12.1-47.fc19.noarch
selinux-policy-3.12.1-47.fc19.noarch
kernel-3.9.4-300.fc19.x86_64


How reproducible:
Every time

Steps to Reproduce:
1. sudo mozilla-plugin-config -i

Actual results:
Error message as above.

Expected results:
No error message.  (And a couple of links set up for firefox plugins.)

Additional info:
A detail I've noted and find confusing is that the policy package includes a policy of version 29, but the kernel seems to expect a policy of version 28.

23:08 freddi$ ls /etc/selinux/targeted/policy
policy.29
23:08 freddi$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

I'm not sure it is related, but I thought I'd mention it just in case.
Comment 1 Miroslav Grepl 2013-06-07 08:52:45 UTC 
Did it work in permissive mode? Is auditd running?
Comment 2 Göran Uddeborg 2013-06-07 21:04:07 UTC 
Yes, in permissive mode it works.

Yes, auditd is running.  If I provoke other AVC:s, they show up in the log as usual.
Comment 3 Daniel Walsh 2013-06-08 10:03:54 UTC 
Turn off the dontaudit rules.

semodule -DB

Execute the command again.
Comment 4 Göran Uddeborg 2013-06-08 21:34:30 UTC 
I mentioned I did turn off the dontaudit rules with "semanage dontaudit on/off" already, and I didn't get any AVC:s.  As I understand it, that has the same effect as "semodule -DB".  But just to be on the safe side, I did it using semodule too, and still don't get anything.

# semodule -DB
# date
Sat Jun  8 23:26:01 CEST 2013
# mozilla-plugin-config -i
/usr/bin/mozilla-plugin-config: line 72: /usr/lib64/nspluginwrapper/plugin-config: Permission denied
# ausearch -m avc -ts 23:26
<no matches>

If I switch to permissive mode the command works.  Now I also do get a lot of AVC:s.  Presumably things normally don't-audited.  I assume these don't really matter, but just in case I include those too.

# setenforce Permissive
# date
Sat Jun  8 23:28:01 CEST 2013
# mozilla-plugin-config -i
# ausearch -m avc -ts 23:28
----
time->Sat Jun  8 23:28:03 2013
type=SYSCALL msg=audit(1370726883.852:9775): arch=c000003e syscall=59 per=8 success=yes exit=0 a0=7fffa901503c a1=7fffa9013080 a2=7fffa90130a8 a3=7fffa9012d30 items=0 ppid=7817 pid=7818 auid=1003 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 ses=609 tty=pts4 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { noatsecure } for  pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { siginh } for  pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { rlimitinh } for  pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { read write } for  pid=7818 comm="npviewer.bin" path="/dev/pts/4" dev="devpts" ino=7 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
Comment 5 Göran Uddeborg 2013-06-08 21:36:12 UTC 
(Maybe "a lot of" was an exaggeration.  But at least "some".) :-)
Comment 6 Miroslav Grepl 2013-06-11 14:30:59 UTC 
Execute

# grep user_devpts_t /var/log/audit/audit.log |audit2allow -M mypol
# semodule -i mypol.pp
# setenforce 1

and re-test.
Comment 7 Göran Uddeborg 2013-06-11 18:40:15 UTC 
Tried it, but it didn't make any difference.

For your reference, the (non-header) part of the generated module looks like this

#!!!! This avc has a dontaudit rule in the current policy
allow mozilla_plugin_t user_devpts_t:chr_file { read write append };
Comment 8 Miroslav Grepl 2013-06-12 09:49:55 UTC 
Ok, I see the bug.

commit 976684d2fe8da2b62e4622cd313559ddcc04ced9
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jun 12 11:18:47 2013 +0200

    mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t
Comment 9 Göran Uddeborg 2013-06-13 20:35:23 UTC 
Good you figured it out.  Did you also understand why I didn't get any AVC:s?
Comment 10 Miroslav Grepl 2013-06-14 05:52:18 UTC 
Basically there was a problem with a role which was not able to access the mozilla_plugin_config_t type. You won't see AVC msgs but 

libsepol.sepol_context_to_sid: could not convert staff_u:staff_r:mozilla_plugin_config_t:s0-s0:c0.c1023 to sid

error message.
Comment 11 Fedora Update System 2013-06-14 07:24:29 UTC 
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Comment 12 Göran Uddeborg 2013-06-14 18:36:44 UTC 
Right, I see the error messages now.  Thanks for the explanation!
Comment 13 Fedora Update System 2013-06-15 03:07:21 UTC 
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.