Bug 249711 - SELinux is /sbin/ldconfig (ldconfig_t) "read" to /home/ODAHR/.mozilla/firefox/5t00y4d7.default/.parentlock (inotifyfs_t).
SELinux is /sbin/ldconfig (ldconfig_t) "read" to /home/ODAHR/.mozilla/firefox...
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
7
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Christopher Aillon
Fedora Extras Quality Assurance
firefox3INSUFFICIENT_DATAmassClosing
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-26 11:57 EDT by dwyerdj@verizon.net
Modified: 2008-04-09 10:05 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-09 10:05:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dwyerdj@verizon.net 2007-07-26 11:57:51 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070417 Fedora/2.0.0.3-4.fc7 Firefox/2.0.0.3

Description of problem:
Summary
    SELinux is preventing /sbin/ldconfig (ldconfig_t) "read" to
    /home/ODAHR/.mozilla/firefox/5t00y4d7.default/.parentlock (inotifyfs_t).

Detailed Description
    SELinux denied access requested by /sbin/ldconfig. It is not expected that
    this access is required by /sbin/ldconfig and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    /home/ODAHR/.mozilla/firefox/5t00y4d7.default/.parentlock, restorecon -v
    /home/ODAHR/.mozilla/firefox/5t00y4d7.default/.parentlock If this does not
    work, there is currently no automatic way to allow this access. Instead,
    you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:ldconfig_t
Target Context                system_u:object_r:inotifyfs_t
Target Objects                /home/ODAHR/.mozilla/firefox/5t00y4d7.default/.par
                              entlock [ dir ]
Affected RPM Packages         glibc-2.6-3 [application]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.20-2925.9.fc7xen
                              #1 SMP Tue May 22 08:53:03 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Thu 26 Jul 2007 09:53:01 AM EDT
Last Seen                     Thu 26 Jul 2007 09:53:01 AM EDT
Local ID                      19117e96-8b04-465a-b109-ac0990bf10fd
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="ldconfig" dev=inotifyfs egid=500 euid=500
exe="/sbin/ldconfig" exit=0 fsgid=500 fsuid=500 gid=500 items=0 name="inotify"
path="/home/ODAHR/.mozilla/firefox/5t00y4d7.default/.parentlock" pid=3704
scontext=user_u:system_r:ldconfig_t:s0 sgid=500
subj=user_u:system_r:ldconfig_t:s0 suid=500 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=500



Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Steps to Reproduce:
1.
2.
3.

Actual Results:


Expected Results:


Additional info:
Comment 1 Daniel Walsh 2007-07-26 13:25:13 EDT
This looks very bizarre to me.  Why do you have adirectory in your homedir
labeled inotifyfs_t?
Comment 2 Niko Mirthes 2007-07-26 17:19:35 EDT
I'm seeing reports of a generally similar nature:

Summary
SELinux is preventing the /sbin/ldconfig from using potentially mislabeled files
(/home/nmirthes/.xsession-errors).

Detailed Description
SELinux has denied /sbin/ldconfig access to potentially mislabeled file(s)
(/home/nmirthes/.xsession-errors). This means that SELinux will not allow
/sbin/ldconfig to use these files. It is common for users to edit files in their
home directory or tmp directories and then move (mv) them to system directories.
The problem is that the files end up with the wrong file context which confined
applications are not allowed to access.

Allowing Access
If you want /sbin/ldconfig to access this files, you need to relabel them using
restorecon -v /home/nmirthes/.xsession-errors. You might want to relabel the
entire directory using restorecon -R -v /home/nmirthes.

Additional Information
Source Context:  system_u:system_r:ldconfig_t
Target Context:  user_u:object_r:user_home_tTarget
Objects:  /home/nmirthes/.xsession-errors [ file ]
Affected RPM Packages:  glibc-2.6-4 [application]Policy
RPM:  selinux-policy-2.6.4-28.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.home_tmp_bad_labels
Host Name:  CPE0018f319c71e-CM0017ee620d0a
Platform:  Linux CPE0018f319c71e-CM0017ee620d0a 2.6.22.1-27.fc7 #1 SMP Tue Jul
17 17:13:26 EDT 2007 i686 i686
Alert Count:  40
First Seen:  Mon 16 Jul 2007 03:59:55 PM ADT
Last Seen:  Wed 25 Jul 2007 05:17:01 PM ADT
Local ID:  239abd71-cce9-4c01-90cb-be022da4f2d6
Line Numbers:

Raw Audit Messages :avc: denied { write } for comm="ldconfig" dev=sdb5 egid=0
euid=0 exe="/sbin/ldconfig" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name=".xsession-errors" path="/home/nmirthes/.xsession-errors" pid=3614
scontext=system_u:system_r:ldconfig_t:s0 sgid=0
subj=system_u:system_r:ldconfig_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:user_home_t:s0 tty=(none) uid=0

This report appears during package updates with pup.

There's also a single report:

SELinux is preventing the /usr/sbin/tzdata-update from using potentially
mislabeled files (/home/nmirthes/.xsession-errors).
Comment 3 Daniel Walsh 2007-07-27 11:39:15 EDT
The second one looks like a leaked file descriptor from xdm/xserver.  Where they
are opening the xsession-errors file for write and not closing the descriptor.

Comment 4 Daniel Walsh 2007-08-14 08:28:12 EDT
This is caused by firefox leaking a file descriptor when execing userhelper/rpm
Comment 5 Matěj Cepl 2008-02-21 17:36:02 EST
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 6 Matěj Cepl 2008-02-21 17:37:03 EST
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 7 Matěj Cepl 2008-04-09 10:05:45 EDT
Since there are insufficient details provided in this report for us to
investigate the issue further, and we have not received feedback to the
information we have requested above, we will assume the problem was not
reproducible, or has been fixed in one of the updates we have released for the
reporter's distribution.

Users who have experienced this problem are encouraged to upgrade to the latest
update of their distribution, and if this issue turns out to still be
reproducible in the latest update, please reopen this bug with additional
information.

Closing as INSUFFICIENT_DATA.

[This is a mass-closing request, if you think that this bug shouldn't be closed,
please, reopen with additional information.]

Note You need to log in before you can comment on or make changes to this bug.