Description of problem: Souhrn: SELinux is preventing the plugin-config from using potentially mislabeled files (/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js). Podrobný popis: SELinux has denied plugin-config access to potentially mislabeled file(s) (/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js). This means that SELinux will not allow plugin-config to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Povolení přístupu: If you want plugin-config to access this files, you need to relabel them using restorecon -v '/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js'. You might want to relabel the entire directory using restorecon -R -v '/home/matej/.mozilla/firefox/e8zuqhrq.default'. Další informace: Kontext zdroje unconfined_u:unconfined_r:nsplugin_config_t :SystemLow-SystemHigh Kontext cíle unconfined_u:object_r:user_mozilla_home_t Objekty cíle /home/matej/.mozilla/firefox/e8zuqhrq.default/pref s.js [ file ] Zdroj plugin-config Cesta zdroje /usr/lib/nspluginwrapper/plugin-config Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje nspluginwrapper-0.9.91.5-26.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-27.0.mc.1.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu home_tmp_bad_labels Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.25-0.185.rc7.git6.fc9.i686 #1 SMP Tue Apr 1 13:48:40 EDT 2008 i686 i686 Počet uporoznění 3 Poprvé viděno Čt 3. duben 2008, 15:40:18 CEST Naposledy viděno Čt 3. duben 2008, 15:40:24 CEST Místní ID 31228626-9ab3-4b71-9673-35389d1c6ee2 Čísla řádků Původní zprávy auditu host=viklef.ceplovi.cz type=AVC msg=audit(1207230024.507:83): avc: denied { read } for pid=17472 comm="plugin-config" path="/home/matej/.mozilla/firefox/e8zuqhrq.default/prefs.js" dev=dm-6 ino=196644 scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_mozilla_home_t:s0 tclass=file host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207230024.507:83): arch=40000003 syscall=11 success=yes exit=0 a0=8e74bb0 a1=8e774c8 a2=8e775a8 a3=0 items=0 ppid=17470 pid=17472 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): firefox-3.0-0.52.beta5.fc9.i386 nspluginwrapper-0.9.91.5-26.fc9.i386 selinux-policy-targeted-3.3.1-27.0.mc.1.fc9.noarch Additional info: I am not actually sure how to reproduce this.
Created attachment 300257 [details] /var/log/audit/audit.log
According to mschmidt from the Brno office, this is caused by deskbar-applet. And yes, I have been doing something with that. And yes when reconfiguring it in Permissive mode I got exactly the same AVC. What in the world wants deskbar-applet from plugins?
deskbar-applet reads your local mozilla profiles, and sets various inotify watches on them as well. This way it can keep tabs on your web history, searches, bookmarks, and search plugins. I am unable to reproduce this violation myself, and by the looks of it, it seems as if the nspluginwrapper is causing this issue. Dan, do you have any suggestions here?
Fixed in selinux-policy-3.3.1-35.fc9