Bug 441486 - Several AVC's after rawhide install and update
Several AVC's after rawhide install and update
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-08 08:43 EDT by Tom Diehl
Modified: 2008-04-08 10:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-08 10:33:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom Diehl 2008-04-08 08:43:41 EDT
Description of problem:Several AVC's after rawhide install and update


Version-Release number of selected component (if applicable):
[root@bullwinkle bin]# rpm -qa | grep selinux
selinux-policy-targeted-3.3.1-28.fc9.noarch
libselinux-2.0.61-1.fc9.i386
selinux-policy-3.3.1-28.fc9.noarch
libselinux-python-2.0.61-1.fc9.i386
[root@bullwinkle bin]


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:Several AVC's


Expected results: No Avc's


Additional info:After installing rawhide I got numerous AVC's. I then updated to
the latest policy and I am left with the following AVC's:


Summary:

SELinux is preventing the npviewer.bin from using potentially mislabeled files
(/root/.mozilla/firefox/j8ftz8kh.default/.parentlock).

Detailed Description:

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(/root/.mozilla/firefox/j8ftz8kh.default/.parentlock). This means that SELinux
will not allow npviewer.bin to use these files. It is common for users to edit
files in their home directory or tmp directories and then move (mv) them to
system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v '/root/.mozilla/firefox/j8ftz8kh.default/.parentlock'. You might
want to relabel the entire directory using restorecon -R -v
'/root/.mozilla/firefox/j8ftz8kh.default'.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                /root/.mozilla/firefox/j8ftz8kh.default/.parentloc
                              k [ file ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          bullwinkle.tntechs.com
Source RPM Packages           nspluginwrapper-0.9.91.5-26.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-28.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     bullwinkle.tntechs.com
Platform                      Linux bullwinkle.tntechs.com
                              2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6
                              21:55:27 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Tue 08 Apr 2008 08:14:23 AM EDT
Last Seen                     Tue 08 Apr 2008 08:14:23 AM EDT
Local ID                      8f8eebaf-d718-477d-9358-2caab5a0124e
Line Numbers                  

Raw Audit Messages            

host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc:  denied
 { write } for  pid=22862 comm="npviewer.bin"
path="/root/.mozilla/firefox/j8ftz8kh.default/.parentlock" dev=dm-0 ino=262333
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc:  denied
 { write } for  pid=22862 comm="npviewer.bin"
path="/root/.mozilla/firefox/j8ftz8kh.default/.parentlock" dev=dm-0 ino=262333
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc:  denied
 { read } for  pid=22862 comm="npviewer.bin"
path="/root/.mozilla/firefox/j8ftz8kh.default/XUL.mfasl" dev=dm-0 ino=262352
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc:  denied
 { read write } for  pid=22862 comm="npviewer.bin"
path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_MAP_" dev=dm-0
ino=262357 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc:  denied
 { read write } for  pid=22862 comm="npviewer.bin"
path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_001_" dev=dm-0
ino=262358 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc:  denied
 { read write } for  pid=22862 comm="npviewer.bin"
path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_002_" dev=dm-0
ino=262359 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=AVC msg=audit(1207656863.239:154): avc:  denied
 { read write } for  pid=22862 comm="npviewer.bin"
path="/root/.mozilla/firefox/j8ftz8kh.default/Cache/_CACHE_003_" dev=dm-0
ino=262360 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207656863.239:154):
arch=40000003 syscall=11 success=yes exit=0 a0=8fe8458 a1=8fe2870 a2=8fe87a8
a3=0 items=0 ppid=22801 pid=22862 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="npviewer.bin"
exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)



Summary:

SELinux is preventing runlevel (NetworkManager_t) "write" to ./utmp
(initrc_var_run_t).

Detailed Description:

SELinux denied access requested by runlevel. It is not expected that this access
is required by runlevel and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./utmp,

restorecon -v './utmp'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:initrc_var_run_t:s0
Target Objects                ./utmp [ file ]
Source                        runlevel
Source Path                   /sbin/runlevel
Port                          <Unknown>
Host                          bullwinkle.tntechs.com
Source RPM Packages           upstart-0.3.9-15.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-28.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     bullwinkle.tntechs.com
Platform                      Linux bullwinkle.tntechs.com
                              2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6
                              21:55:27 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Mon 07 Apr 2008 12:53:20 PM EDT
Last Seen                     Mon 07 Apr 2008 12:53:20 PM EDT
Local ID                      f02bf57a-2948-4d87-976d-f6f6aab48c15
Line Numbers                  

Raw Audit Messages            

host=bullwinkle.tntechs.com type=AVC msg=audit(1207587200.728:27): avc:  denied
 { write } for  pid=3332 comm="runlevel" name="utmp" dev=dm-2 ino=73740
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207587200.728:27):
arch=40000003 syscall=5 success=no exit=-13 a0=9812ba a1=88002 a2=8b9bf8
a3=9812c0 items=0 ppid=3331 pid=3332 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runlevel"
exe="/sbin/runlevel" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Summary:

SELinux is preventing the Xorg from using potentially mislabeled files
(./fonts.dir).

Detailed Description:

SELinux has denied Xorg access to potentially mislabeled file(s) (./fonts.dir).
This means that SELinux will not allow Xorg to use these files. It is common for
users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want Xorg to access this files, you need to relabel them using restorecon
-v './fonts.dir'. You might want to relabel the entire directory using
restorecon -R -v '.'.

Additional Information:

Source Context                system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                ./fonts.dir [ file ]
Source                        Xorg
Source Path                   /usr/bin/Xorg
Port                          <Unknown>
Host                          bullwinkle.tntechs.com
Source RPM Packages           xorg-x11-server-Xorg-1.4.99.901-17.20080401.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-28.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     bullwinkle.tntechs.com
Platform                      Linux bullwinkle.tntechs.com
                              2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6
                              21:55:27 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Mon 07 Apr 2008 12:53:05 PM EDT
Last Seen                     Mon 07 Apr 2008 12:53:05 PM EDT
Local ID                      66087dba-4059-4f8f-a9c2-eea91b3c3487
Line Numbers                  

Raw Audit Messages            

host=bullwinkle.tntechs.com type=AVC msg=audit(1207587185.530:26): avc:  denied
 { read } for  pid=2778 comm="Xorg" name="fonts.dir" dev=dm-0 ino=262183
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207587185.530:26):
arch=40000003 syscall=5 success=no exit=-13 a0=bfcd2b28 a1=0 a2=1b6 a3=0 items=0
ppid=2775 pid=2778 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="Xorg" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)



Summary:

SELinux is preventing the gdm-session-wor from using potentially mislabeled
files (./root).

Detailed Description:

SELinux has denied gdm-session-wor access to potentially mislabeled file(s)
(./root). This means that SELinux will not allow gdm-session-wor to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want gdm-session-wor to access this files, you need to relabel them using
restorecon -v './root'. You might want to relabel the entire directory using
restorecon -R -v './root'.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                ./root [ dir ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          bullwinkle.tntechs.com
Source RPM Packages           gdm-2.21.10-0.2008.04.07.1.fc9
Target RPM Packages           filesystem-2.4.12-1.fc9
Policy RPM                    selinux-policy-3.3.1-28.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     bullwinkle.tntechs.com
Platform                      Linux bullwinkle.tntechs.com
                              2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6
                              21:55:27 EDT 2008 i686 i686
Alert Count                   4
First Seen                    Mon 07 Apr 2008 12:52:40 PM EDT
Last Seen                     Mon 07 Apr 2008 12:53:02 PM EDT
Local ID                      983dd350-6557-4e40-b855-60810bed6ed6
Line Numbers                  

Raw Audit Messages            

host=bullwinkle.tntechs.com type=AVC msg=audit(1207587182.105:25): avc:  denied
 { write } for  pid=2966 comm="gdm-session-wor" name="root" dev=dm-0 ino=262145
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

host=bullwinkle.tntechs.com type=SYSCALL msg=audit(1207587182.105:25):
arch=40000003 syscall=5 success=no exit=-13 a0=91b0a60 a1=80c2 a2=180 a3=80c2
items=0 ppid=2917 pid=2966 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor"
exe="/usr/libexec/gdm-session-worker"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-08 10:33:35 EDT
SELinux will not allow you to login as root via XWindows this is a bad idea and
we will not clean up the AVC's since this would cover up potential attacks.


Note You need to log in before you can comment on or make changes to this bug.