Bug 1246912 - SELinux is preventing plugin-containe from 'create' accesses on the directory .linphone-web.
Summary: SELinux is preventing plugin-containe from 'create' accesses on the directory...
Keywords:
Status: CLOSED DUPLICATE of bug 1279752
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Vit Mojzis
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2ab478b1aadd4462cce46de381a...
Depends On:
Blocks: 1279752
TreeView+ depends on / blocked
 
Reported: 2015-07-26 22:27 UTC by Ervin
Modified: 2015-12-17 15:49 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1279752 (view as bug list)
Environment:
Last Closed: 2015-12-17 15:49:59 UTC


Attachments (Terms of Use)
Linphone web Type Enforcement rule file (718 bytes, text/plain)
2015-09-23 12:44 UTC, Diego
no flags Details
Linphone web SELinux policy module file (1.66 KB, application/octet-stream)
2015-09-23 12:46 UTC, Diego
no flags Details

Description Ervin 2015-07-26 22:27:39 UTC
Description of problem:
I installed the linphone web plugin in Firefox. However selinux is preventing the plugin creating access on the directory. linphone-web, not allowing me to sign in with my linphne credentials. 
SELinux is preventing plugin-containe from 'create' accesses on the directory .linphone-web.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed create access on the .linphone-web directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                .linphone-web [ dir ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.6.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.8-300.fc22.x86_64 #1 SMP Fri
                              Jul 10 21:04:56 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-07-27 00:22:43 CEST
Last Seen                     2015-07-27 00:23:01 CEST
Local ID                      da54effe-5222-4ba6-91c2-84ff83a4959b

Raw Audit Messages
type=AVC msg=audit(1437949381.664:598): avc:  denied  { create } for  pid=3747 comm="plugin-containe" name=".linphone-web" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0


Hash: plugin-containe,mozilla_plugin_t,user_home_dir_t,dir,create

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

Potential duplicate: bug 799313

Comment 1 Ervin 2015-07-27 12:51:58 UTC
I don't want to disable Selinux Control on the Firefox Plugins,it can cause security problems. 
Instead Selinux Policy should be updated. I don't think the Linphone web plugin is a threat to the system. 
However it must be checked it just by plainly allowing it, it can cause other security issues.

Comment 2 Diego 2015-09-23 12:44:55 UTC
Created attachment 1076216 [details]
Linphone web Type Enforcement rule file

Comment 3 Diego 2015-09-23 12:46:29 UTC
Created attachment 1076218 [details]
Linphone web SELinux policy module file

SELinux policy module file to allow Linphone web plugin run.

Comment 4 Diego 2015-09-23 12:52:39 UTC
(In reply to Diego from comment #3)
> Created attachment 1076218 [details]
> Linphone web SELinux policy module file
> 
> SELinux policy module file to allow Linphone web plugin run.

This file is generated by using audit2allow iteratively while encountering AVC denials, not hand writted. More AVCs might be encountered during use.

Comment 5 Ervin 2015-09-24 14:35:17 UTC
Hello Diego, can modifying that file introduce security vulnerabilities?

Comment 6 Miroslav Grepl 2015-10-12 11:54:50 UTC
(In reply to Ervin from comment #1)
> I don't want to disable Selinux Control on the Firefox Plugins,it can cause
> security problems. 
> Instead Selinux Policy should be updated. I don't think the Linphone web
> plugin is a threat to the system. 
> However it must be checked it just by plainly allowing it, it can cause
> other security issues.

This could work with filename transitions rules for ~/.linphone-web.

Could you play around

cat myplugin.te
policy_module(myplugin.te,1.0)

require{
 type mozilla_home_t; 
}

userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".linphone-web")

and run

# make -f /usr/share/selinux/devel/Makefile myplugin.pp
# semodule -i myplugin.pp


You will need to remove ~/.linphone-web to be recreated with a correct labeling.

Thank you.

Comment 7 Ervin 2015-10-14 09:47:58 UTC
I am having other problems with Web Linphone for now. 
The bug must be directed to Firefox. 
So I can't test it for now.

Comment 8 Vit Mojzis 2015-12-17 15:49:59 UTC

*** This bug has been marked as a duplicate of bug 1279752 ***


Note You need to log in before you can comment on or make changes to this bug.