Red Hat Bugzilla – Bug 448118
SELinux is preventing firefox from creating a file with a context of unlabeled_t on a filesystem
Last modified: 2008-07-02 13:57:58 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.4 (like Gecko) Fedora/4.0.4-4.fc9 Description of problem: After upgrading to selinux-policy-3.3.1-51.fc9.noarch selinux-policy-devel-3.3.1-51.fc9.noarch selinux-policy-targeted-3.3.1-51.fc9.noarc and using firefox-3.0-0.60.beta5.fc9.x86_64 I have next (pasted in section "additional information") selinux error, and firefox doesn't startup correctly anymore. stderr output of firefox: Adblock plus: failed write pattern to file <home>/.mozilla/firefox/2xkf909o.default/adblockplus/patterns.ini: [Exception... "Component returned failure code: 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED) [nsIFileOutputStream.init]" nsresult: "0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)" location: "JS frame :: chrome://adblockplus/content/prefs.js :: anonymous :: line 767" data: no] When I scratch my $HOME/.mozilla folder, problem is gone. But I need my personal data :) Version-Release number of selected component (if applicable): selinux-policy-3.3.1-51.fc9.noarch How reproducible: Always Steps to Reproduce: 1. install described components on x86_64 2. run firefox 3. Actual Results: Expected Results: Additional info: Summary: SELinux is preventing firefox from creating a file with a context of unlabeled_t on a filesystem. Detailed Description: SELinux is preventing firefox from creating a file with a context of unlabeled_t on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, "cp -a" for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. "cp -P" might be a better solution, as this will adopt the default file context for the destination. Allowing Access: Use a command like "cp -P" to preserve all permissions except SELinux context. Additional Information: Source Context unconfined_u:object_r:unlabeled_t Target Context system_u:object_r:fs_t Target Objects cookies.sqlite-journal [ filesystem ] Source firefox Source Path /usr/lib64/firefox-3.0b5/firefox Port <Unknown> Source RPM Packages firefox-3.0-0.60.beta5.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name filesystem_associate Platform Linux obelix 2.6.25.3-18.fc9.x86_64 #1 SMP Tue May 13 04:54:47 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Fri 23 May 2008 05:10:51 PM CEST Last Seen Fri 23 May 2008 05:34:12 PM CEST Local ID d8a700cf-2c6f-4dd5-830d-4050a339fbe8 Line Numbers Raw Audit Messages host=myhostname type=AVC msg=audit(1211556852.662:254): avc: denied { associate } for pid=8993 comm="firefox" name="cookies.sqlite-journal" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem host=myhostname type=SYSCALL msg=audit(1211556852.662:254): arch=c000003e syscall=2 success=no exit=-13 a0=2ca2c7e a1=c2 a2=1a4 a3=0 items=0 ppid=8976 pid=8993 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts10 ses=1 comm="firefox" exe="/usr/lib64/firefox-3.0b5/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
I've had the same problem. I was unable to access the firefox history anymore. A '/sbin/restorecon -Rv .mozilla' did the trick for me.
This is an upgrade problem. You can fix it by executing the restorecon command above.