Bug 440426 - SELinux is preventing the plugin-config from using potentially mislabeled files (/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js).
SELinux is preventing the plugin-config from using potentially mislabeled fil...
Product: Fedora
Classification: Fedora
Component: deskbar-applet (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Luke Macken
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-04-03 10:31 EDT by Matěj Cepl
Modified: 2016-09-19 22:38 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-14 14:33:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/audit/audit.log (243.90 KB, text/plain)
2008-04-03 10:31 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-04-03 10:31:44 EDT
Description of problem:


SELinux is preventing the plugin-config from using potentially mislabeled files

Podrobný popis:

SELinux has denied plugin-config access to potentially mislabeled file(s)
(/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js). This means that
SELinux will not allow plugin-config to use these files. It is common for users
to edit files in their home directory or tmp directories and then move (mv) them
to system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Povolení přístupu:

If you want plugin-config to access this files, you need to relabel them using
restorecon -v '/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js'. You
might want to relabel the entire directory using restorecon -R -v

Další informace:

Kontext zdroje                unconfined_u:unconfined_r:nsplugin_config_t
Kontext cíle                 unconfined_u:object_r:user_mozilla_home_t
Objekty cíle                 /home/matej/.mozilla/firefox/e8zuqhrq.default/pref
                              s.js [ file ]
Zdroj                         plugin-config
Cesta zdroje                  /usr/lib/nspluginwrapper/plugin-config
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          nspluginwrapper-
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-27.0.mc.1.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     home_tmp_bad_labels
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.25-0.185.rc7.git6.fc9.i686 #1 SMP Tue Apr 1
                              13:48:40 EDT 2008 i686 i686
Počet uporoznění           3
Poprvé viděno               Čt 3. duben 2008, 15:40:18 CEST
Naposledy viděno             Čt 3. duben 2008, 15:40:24 CEST
Místní ID                   31228626-9ab3-4b71-9673-35389d1c6ee2
Čísla řádků              

Původní zprávy auditu      

host=viklef.ceplovi.cz type=AVC msg=audit(1207230024.507:83): avc:  denied  {
read } for  pid=17472 comm="plugin-config"
path="/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js" dev=dm-6
ino=196644 scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_mozilla_home_t:s0 tclass=file

host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207230024.507:83): arch=40000003
syscall=11 success=yes exit=0 a0=8e74bb0 a1=8e774c8 a2=8e775a8 a3=0 items=0
ppid=17470 pid=17472 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500
sgid=500 fsgid=500 tty=(none) ses=1 comm="plugin-config"
subj=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):

Additional info:
I am not actually sure how to reproduce this.
Comment 1 Matěj Cepl 2008-04-03 10:31:44 EDT
Created attachment 300257 [details]
Comment 2 Matěj Cepl 2008-04-03 10:45:19 EDT
According to mschmidt from the Brno office, this is caused by deskbar-applet.
And yes, I have been doing something with that. And yes when reconfiguring it in
Permissive mode I got exactly the same AVC. What in the world wants
deskbar-applet from plugins?
Comment 3 Luke Macken 2008-04-11 12:27:27 EDT
deskbar-applet reads your local mozilla profiles, and sets various inotify
watches on them as well.  This way it can keep tabs on your web history,
searches, bookmarks, and search plugins.

I am unable to reproduce this violation myself, and by the looks of it, it seems
as if the nspluginwrapper is causing this issue.

Dan, do you have any suggestions here?
Comment 4 Daniel Walsh 2008-04-14 14:33:56 EDT
Fixed in selinux-policy-3.3.1-35.fc9

Note You need to log in before you can comment on or make changes to this bug.