Bug 1279752 - SELinux is preventing plugin-containe from 'create' accesses on the directory .linphone-web.
Summary: SELinux is preventing plugin-containe from 'create' accesses on the directory...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2ab478b1aadd4462cce46de381a...
: 1246912 (view as bug list)
Depends On: 1246912
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-10 08:13 UTC by Miroslav Grepl
Modified: 2016-05-10 17:57 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.13.1-128.24.fc22 selinux-policy-3.13.1-128.28.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of: 1246912
Environment:
Last Closed: 2016-05-10 17:57:13 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Miroslav Grepl 2015-11-10 08:13:47 UTC
+++ This bug was initially created as a clone of Bug #1246912 +++

Description of problem:
I installed the linphone web plugin in Firefox. However selinux is preventing the plugin creating access on the directory. linphone-web, not allowing me to sign in with my linphne credentials. 
SELinux is preventing plugin-containe from 'create' accesses on the directory .linphone-web.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed create access on the .linphone-web directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                .linphone-web [ dir ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.6.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.8-300.fc22.x86_64 #1 SMP Fri
                              Jul 10 21:04:56 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-07-27 00:22:43 CEST
Last Seen                     2015-07-27 00:23:01 CEST
Local ID                      da54effe-5222-4ba6-91c2-84ff83a4959b

Raw Audit Messages
type=AVC msg=audit(1437949381.664:598): avc:  denied  { create } for  pid=3747 comm="plugin-containe" name=".linphone-web" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0


Hash: plugin-containe,mozilla_plugin_t,user_home_dir_t,dir,create

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

Potential duplicate: bug 799313

--- Additional comment from Ervin on 2015-07-27 08:51:58 EDT ---

I don't want to disable Selinux Control on the Firefox Plugins,it can cause security problems. 
Instead Selinux Policy should be updated. I don't think the Linphone web plugin is a threat to the system. 
However it must be checked it just by plainly allowing it, it can cause other security issues.

--- Additional comment from Diego on 2015-09-23 08:44 EDT ---



--- Additional comment from Diego on 2015-09-23 08:46 EDT ---

SELinux policy module file to allow Linphone web plugin run.

--- Additional comment from Diego on 2015-09-23 08:52:39 EDT ---

(In reply to Diego from comment #3)
> Created attachment 1076218 [details]
> Linphone web SELinux policy module file
> 
> SELinux policy module file to allow Linphone web plugin run.

This file is generated by using audit2allow iteratively while encountering AVC denials, not hand writted. More AVCs might be encountered during use.

--- Additional comment from Ervin on 2015-09-24 10:35:17 EDT ---

Hello Diego, can modifying that file introduce security vulnerabilities?

--- Additional comment from Miroslav Grepl on 2015-10-12 07:54:50 EDT ---

(In reply to Ervin from comment #1)
> I don't want to disable Selinux Control on the Firefox Plugins,it can cause
> security problems. 
> Instead Selinux Policy should be updated. I don't think the Linphone web
> plugin is a threat to the system. 
> However it must be checked it just by plainly allowing it, it can cause
> other security issues.

This could work with filename transitions rules for ~/.linphone-web.

Could you play around

cat myplugin.te
policy_module(myplugin.te,1.0)

require{
 type mozilla_home_t; 
}

userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".linphone-web")

and run

# make -f /usr/share/selinux/devel/Makefile myplugin.pp
# semodule -i myplugin.pp


You will need to remove ~/.linphone-web to be recreated with a correct labeling.

Thank you.

--- Additional comment from Ervin on 2015-10-14 05:47:58 EDT ---

I am having other problems with Web Linphone for now. 
The bug must be directed to Firefox. 
So I can't test it for now.

Comment 1 Martin Stransky 2015-11-26 14:59:16 UTC
What's needed from the Firefox side?

Comment 2 Vit Mojzis 2015-12-17 15:48:08 UTC
https://github.com/fedora-selinux/selinux-policy/pull/83

commit a74ec037ace636ffbbc4e930434f0e9d68149370
Author: Vit Mojzis <vmojzis>
Date:   Thu Dec 17 12:54:44 2015 +0100

    Add transition for ".linphone-web" to mozilla_plugin_t. The folder is created and used by linphone web plugin. #1279752

Comment 3 Vit Mojzis 2015-12-17 15:49:59 UTC
*** Bug 1246912 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2016-01-18 13:20:05 UTC
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

Comment 5 Fedora Update System 2016-01-20 03:53:25 UTC
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

Comment 6 Fedora Update System 2016-02-15 17:46:56 UTC
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 7 Fedora Update System 2016-02-17 06:26:12 UTC
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 8 Fedora Update System 2016-02-18 12:27:52 UTC
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 9 Fedora Update System 2016-02-21 18:29:08 UTC
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 10 Fedora Update System 2016-05-10 17:55:53 UTC
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.