Description of problem: Souhrn: SELinux is preventing the npviewer.bin from using potentially mislabeled files (.XCompose). Podrobný popis: SELinux has denied npviewer.bin access to potentially mislabeled file(s) (.XCompose). This means that SELinux will not allow npviewer.bin to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Povolení přístupu: If you want npviewer.bin to access this files, you need to relabel them using restorecon -v '.XCompose'. You might want to relabel the entire directory using restorecon -R -v '<Neznámé>'. Další informace: Kontext zdroje unconfined_u:unconfined_r:nsplugin_t:SystemLow- SystemHigh Kontext cíle unconfined_u:object_r:user_home_t Objekty cíle .XCompose [ lnk_file ] Zdroj npviewer.bin Cesta zdroje /usr/lib/nspluginwrapper/npviewer.bin Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje RPM balíčky cíle RPM politiky selinux-policy-3.3.1-26.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu home_tmp_bad_labels Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.25-0.163.rc7.git1.fc9.i686 #1 SMP Thu Mar 27 09:56:04 EDT 2008 i686 i686 Počet uporoznění 3 Poprvé viděno Po 31. březen 2008, 22:36:55 CEST Naposledy viděno Po 31. březen 2008, 22:41:38 CEST Místní ID c0960d28-6416-42c7-8b99-c6011026b4d5 Čísla řádků Původní zprávy auditu host=viklef.ceplovi.cz type=AVC msg=audit(1206996098.690:4233): avc: denied { read } for pid=24425 comm="npviewer.bin" name=".XCompose" dev=dm-6 ino=6638171 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file host=viklef.ceplovi.cz type=SYSCALL msg=audit(1206996098.690:4233): arch=40000003 syscall=5 success=no exit=-13 a0=8bf6978 a1=0 a2=8b6dad8 a3=bfbaad4f items=0 ppid=24124 pid=24425 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=5 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): hal-0.5.11-0.2.rc2.fc9.i386 hal-docs-0.5.11-0.2.rc2.fc9.i386 selinux-policy-targeted-3.3.1-26.fc9.noarch hal-devel-0.5.11-0.2.rc2.fc9.i386 xorg-x11-server-utils-7.3-3.fc9.i386 xorg-x11-server-debuginfo-1.4.99.901-13.20080314.fc9.i386 hal-info-20080317-2.fc9.noarch xorg-x11-server-Xorg-1.4.99.901-13.20080314.fc9.i386 hal-debuginfo-0.5.11-0.2.rc2.fc9.i386 hal-libs-0.5.11-0.2.rc2.fc9.i386 xorg-x11-server-utils-debuginfo-7.3-3.fc9.i386 xorg-x11-server-common-1.4.99.901-13.20080314.fc9.i386 How reproducible: After application of the attached policy everything is OK Steps to Reproduce: 1.play with flash-plug (probably, not sure whether I can go out) 2. 3. Actual results: sealert -b window opened. Expected results: 60,000Kč Additional info: Without the attached policy gdm crashes and doesn't allow me to log in.
Created attachment 299771 [details] /var/log/Xorg.0.log
Users are responsible for making sure they have the correct labeling on files just like the are responsible for having the correct ownership and permissions. This is a user error and not a bug.
Well, I thought that this being a standard file (like for example ~/.Xauthority) would deserve to get also standard relabelling (like ~/.Xauthority gets). In this case, when looking at [matej@viklef ~]$ ls -Z /usr/share/X11/locale/en_US.UTF-8/Compose -rw-r--r-- root root system_u:object_r:locale_t /usr/share/X11/locale/en_US.UTF-8/Compose [matej@viklef ~]$ I think it would deserve *:locale_t type label.
To the previous comment, one more thing -- this is AFTER restorecon -v -R /tmp
Matej I think I responded to the wrong bugzilla. The avc that you report is showing nsplugin trying to read the .XCompose file. This has nothing to do with gdm crashing. I have no idea why nsplugin would try to read the Link_file .XCompose.
restorecon of /tmp also has no effect, If you have a labeling problem in /tmp, you would be best off deleting the files/directories out there and restarting the application.
OK, reassigning back.
Created attachment 299877 [details] strace of nspluginviewer
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-29.fc9