Bug 435731 - SELinux is preventing the npviewer.bin from using potentially mislabeled files (/home/matej/mel8-118.ogg).
SELinux is preventing the npviewer.bin from using potentially mislabeled file...
Product: Fedora
Classification: Fedora
Component: nspluginwrapper (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Martin Stransky
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-03-03 11:17 EST by Matěj Cepl
Modified: 2008-03-06 07:47 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-06 07:47:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-03-03 11:17:11 EST
Description of problem:

What business does SELinux have with blocking access to files in my /home?


SELinux is preventing the npviewer.bin from using potentially mislabeled files

Podrobný popis:

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(/home/matej/mel8-118.ogg). This means that SELinux will not allow npviewer.bin
to use these files. It is common for users to edit files in their home directory
or tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Povolení přístupu:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v '/home/matej/mel8-118.ogg'. You might want to relabel the entire
directory using restorecon -R -v '/home/matej'.

Další informace:

Kontext zdroje                unconfined_u:unconfined_r:nsplugin_t:SystemLow-
Kontext cíle                 unconfined_u:object_r:user_home_t
Objekty cíle                 /home/matej/mel8-118.ogg [ file ]
Zdroj                         npviewer.bin
Cesta zdroje                  /usr/lib64/nspluginwrapper/npviewer.bin
Port                          <Neznámé>
Počítač                    hubmaier.ceplovi.cz
RPM balíčky zdroje          nspluginwrapper-
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-9.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     home_tmp_bad_labels
Název počítače            hubmaier.ceplovi.cz
Platforma                     Linux hubmaier.ceplovi.cz 2.6.25-0.81.rc3.git2.fc9
                              #1 SMP Sun Mar 2 01:04:02 EST 2008 x86_64 x86_64
Počet uporoznění           5
Poprvé viděno               Po 3. březen 2008, 17:05:55 CET
Naposledy viděno             Po 3. březen 2008, 17:09:05 CET
Místní ID                   08ffb0a6-aa57-4560-b041-9bfb9792cf31
Čísla řádků              

Původní zprávy auditu      

host=hubmaier.ceplovi.cz type=AVC msg=audit(1204560545.253:545): avc:  denied  {
write } for  pid=18541 comm="npviewer.bin" path="/home/matej/mel8-118.ogg"
dev=dm-0 ino=3691553
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=hubmaier.ceplovi.cz type=AVC msg=audit(1204560545.253:545): avc:  denied  {
read write } for  pid=18541 comm="npviewer.bin" path="socket:[1052534]"
dev=sockfs ino=1052534

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1204560545.253:545):
arch=c000003e syscall=59 success=yes exit=0 a0=1be1600 a1=1be15a0 a2=1be0720
a3=8 items=0 ppid=10525 pid=18541 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Martin Stransky 2008-03-06 07:47:21 EST
Mozilla plugins could not read user files. I believe it's a feature, not a bug ;-)

Note You need to log in before you can comment on or make changes to this bug.