Bug 2007418 - SELinux is preventing Sandbox Forked from using the 'nnp_transition' accesses on a process.
Summary: SELinux is preventing Sandbox Forked from using the 'nnp_transition' accesses...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:dc9a5dcd4dc4f0702567cbb6809...
: 1934796 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-23 19:27 UTC by Ivan
Modified: 2021-10-31 01:14 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-34.22-1.fc34
Clone Of:
Environment:
Last Closed: 2021-10-31 01:14:17 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ivan 2021-09-23 19:27:15 UTC 
Description of problem:
I tried to watch streaming content on HBO go service.
SELinux is preventing Sandbox Forked from using the 'nnp_transition' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that Sandbox Forked should be allowed nnp_transition access on processes labeled mozilla_plugin_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Sandbox Forked' --raw | audit2allow -M my-SandboxForked
# semodule -X 300 -i my-SandboxForked.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Objects                Unknown [ process2 ]
Source                        Sandbox Forked
Source Path                   Sandbox Forked
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.20-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.20-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.13.16-200.fc34.x86_64 #1 SMP Mon
                              Sep 13 12:39:36 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-09-23 21:25:50 CEST
Last Seen                     2021-09-23 21:25:50 CEST
Local ID                      6671194a-305e-4fa9-9e97-d05929f61104

Raw Audit Messages
type=AVC msg=audit(1632425150.967:2506): avc:  denied  { nnp_transition } for  pid=197786 comm=53616E64626F7820466F726B6564 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process2 permissive=0


Hash: Sandbox Forked,unconfined_t,mozilla_plugin_t,process2,nnp_transition

Version-Release number of selected component:
selinux-policy-targeted-34.20-1.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.13.16-200.fc34.x86_64
type:           libreport

Potential duplicate: bug 1934796
Comment 1 Zdenek Pytela 2021-09-29 10:56:59 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/899
Comment 2 Zdenek Pytela 2021-09-29 10:57:18 UTC 
*** Bug 1934796 has been marked as a duplicate of this bug. ***
Comment 3 Fedora Update System 2021-10-18 15:43:23 UTC 
FEDORA-2021-00891047cf has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-00891047cf
Comment 4 Fedora Update System 2021-10-19 00:48:23 UTC 
FEDORA-2021-00891047cf has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-00891047cf`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-00891047cf

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2021-10-31 01:14:17 UTC 
FEDORA-2021-00891047cf has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.