Bug 439895 - SELinux is preventing the npviewer.bin from using potentially mislabeled files (.XCompose).
Summary: SELinux is preventing the npviewer.bin from using potentially mislabeled file...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: nspluginwrapper
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-31 21:46 UTC by Matěj Cepl
Modified: 2018-04-11 06:51 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-04-06 10:06:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
/var/log/Xorg.0.log (61.43 KB, text/plain)
2008-03-31 21:46 UTC, Matěj Cepl
no flags Details
strace of nspluginviewer (2.17 MB, application/x-bzip)
2008-04-01 11:14 UTC, Matěj Cepl
no flags Details

Description Matěj Cepl 2008-03-31 21:46:06 UTC
Description of problem:

Souhrn:

SELinux is preventing the npviewer.bin from using potentially mislabeled files
(.XCompose).

Podrobný popis:

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(.XCompose). This means that SELinux will not allow npviewer.bin to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Povolení přístupu:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v '.XCompose'. You might want to relabel the entire directory using
restorecon -R -v '<Neznámé>'.

Další informace:

Kontext zdroje                unconfined_u:unconfined_r:nsplugin_t:SystemLow-
                              SystemHigh
Kontext cíle                 unconfined_u:object_r:user_home_t
Objekty cíle                 .XCompose [ lnk_file ]
Zdroj                         npviewer.bin
Cesta zdroje                  /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-26.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     home_tmp_bad_labels
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.25-0.163.rc7.git1.fc9.i686 #1 SMP Thu Mar 27
                              09:56:04 EDT 2008 i686 i686
Počet uporoznění           3
Poprvé viděno               Po 31. březen 2008, 22:36:55 CEST
Naposledy viděno             Po 31. březen 2008, 22:41:38 CEST
Místní ID                   c0960d28-6416-42c7-8b99-c6011026b4d5
Čísla řádků              

Původní zprávy auditu      

host=viklef.ceplovi.cz type=AVC msg=audit(1206996098.690:4233): avc:  denied  {
read } for  pid=24425 comm="npviewer.bin" name=".XCompose" dev=dm-6 ino=6638171
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file

host=viklef.ceplovi.cz type=SYSCALL msg=audit(1206996098.690:4233):
arch=40000003 syscall=5 success=no exit=-13 a0=8bf6978 a1=0 a2=8b6dad8
a3=bfbaad4f items=0 ppid=24124 pid=24425 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=5
comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
hal-0.5.11-0.2.rc2.fc9.i386
hal-docs-0.5.11-0.2.rc2.fc9.i386
selinux-policy-targeted-3.3.1-26.fc9.noarch
hal-devel-0.5.11-0.2.rc2.fc9.i386
xorg-x11-server-utils-7.3-3.fc9.i386
xorg-x11-server-debuginfo-1.4.99.901-13.20080314.fc9.i386
hal-info-20080317-2.fc9.noarch
xorg-x11-server-Xorg-1.4.99.901-13.20080314.fc9.i386
hal-debuginfo-0.5.11-0.2.rc2.fc9.i386
hal-libs-0.5.11-0.2.rc2.fc9.i386
xorg-x11-server-utils-debuginfo-7.3-3.fc9.i386
xorg-x11-server-common-1.4.99.901-13.20080314.fc9.i386


How reproducible:
After application of the attached policy everything is OK

Steps to Reproduce:
1.play with flash-plug (probably, not sure whether I can go out)
2.
3.
  
Actual results:
sealert -b window opened.

Expected results:
60,000Kč

Additional info:
Without the attached policy gdm crashes and doesn't allow me to log in.

Comment 1 Matěj Cepl 2008-03-31 21:46:06 UTC
Created attachment 299771 [details]
/var/log/Xorg.0.log

Comment 2 Daniel Walsh 2008-04-01 05:31:15 UTC
Users are responsible for making sure they have the correct labeling on files
just like the are responsible for having the correct ownership and permissions.

This is a user error and not a bug.

Comment 3 Matěj Cepl 2008-04-01 08:03:45 UTC
Well, I thought that this being a standard file (like for example ~/.Xauthority)
would deserve to get also standard relabelling (like ~/.Xauthority gets). In
this case, when looking at

[matej@viklef ~]$ ls -Z /usr/share/X11/locale/en_US.UTF-8/Compose 
-rw-r--r--  root root system_u:object_r:locale_t      
/usr/share/X11/locale/en_US.UTF-8/Compose
[matej@viklef ~]$ 

I think it would deserve *:locale_t type label.

Comment 4 Matěj Cepl 2008-04-01 08:08:22 UTC
To the previous comment, one more thing -- this is AFTER restorecon -v -R /tmp

Comment 5 Daniel Walsh 2008-04-01 08:20:14 UTC
Matej I think I responded to the wrong bugzilla.  The avc that you report is
showing nsplugin trying to read the .XCompose file.  This has nothing to do with
gdm crashing.

I have no idea why nsplugin would try to read the Link_file .XCompose.



Comment 6 Daniel Walsh 2008-04-01 08:21:46 UTC
restorecon of /tmp also has no effect,   If you have a labeling problem in /tmp,
you would be best off deleting the files/directories out there and restarting
the application.

Comment 7 Matěj Cepl 2008-04-01 09:30:00 UTC
OK, reassigning back.

Comment 8 Matěj Cepl 2008-04-01 11:14:10 UTC
Created attachment 299877 [details]
strace of nspluginviewer

Comment 9 Daniel Walsh 2008-04-06 10:06:32 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-29.fc9



Note You need to log in before you can comment on or make changes to this bug.