Bug 448118 - SELinux is preventing firefox from creating a file with a context of unlabeled_t on a filesystem
Summary: SELinux is preventing firefox from creating a file with a context of unlabele...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-23 15:39 UTC by Dean Mander
Modified: 2008-07-02 17:57 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-07-02 17:57:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Dean Mander 2008-05-23 15:39:31 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.4 (like Gecko) Fedora/4.0.4-4.fc9

Description of problem:
After upgrading to
selinux-policy-3.3.1-51.fc9.noarch
selinux-policy-devel-3.3.1-51.fc9.noarch
selinux-policy-targeted-3.3.1-51.fc9.noarc
and using firefox-3.0-0.60.beta5.fc9.x86_64

I have next (pasted in section "additional information") selinux error, and
firefox doesn't startup correctly anymore.

stderr output of firefox:
Adblock plus: failed write pattern to file
<home>/.mozilla/firefox/2xkf909o.default/adblockplus/patterns.ini: [Exception...
"Component returned failure code: 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)
[nsIFileOutputStream.init]"  nsresult: "0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)" 
location: "JS frame :: chrome://adblockplus/content/prefs.js :: anonymous :: line
767"  data: no]


When I scratch my $HOME/.mozilla folder, problem is gone. But I need my personal
data :)





Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-51.fc9.noarch

How reproducible:
Always


Steps to Reproduce:
1. install described components on x86_64 
2. run firefox
3.

Actual Results:


Expected Results:


Additional info:

Summary:

SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem.

Detailed Description:

SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem. Usually this happens when you ask the cp command to maintain
the context of a file when copying between file systems, "cp -a" for example.
Not all file contexts should be maintained between the file systems. For
example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t
Target Context                system_u:object_r:fs_t
Target Objects                cookies.sqlite-journal [ filesystem ]
Source                        firefox
Source Path                   /usr/lib64/firefox-3.0b5/firefox
Port                          <Unknown>
Source RPM Packages           firefox-3.0-0.60.beta5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Platform                      Linux obelix 2.6.25.3-18.fc9.x86_64 #1 SMP Tue May
                              13 04:54:47 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Fri 23 May 2008 05:10:51 PM CEST
Last Seen                     Fri 23 May 2008 05:34:12 PM CEST
Local ID                      d8a700cf-2c6f-4dd5-830d-4050a339fbe8
Line Numbers                  

Raw Audit Messages            

host=myhostname type=AVC msg=audit(1211556852.662:254): avc:  denied  { associate
} for  pid=8993 comm="firefox" name="cookies.sqlite-journal"
scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0
tclass=filesystem

host=myhostname type=SYSCALL msg=audit(1211556852.662:254): arch=c000003e
syscall=2 success=no exit=-13 a0=2ca2c7e a1=c2 a2=1a4 a3=0 items=0 ppid=8976
pid=8993 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=pts10 ses=1 comm="firefox" exe="/usr/lib64/firefox-3.0b5/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 1 Christian Nolte 2008-05-24 14:45:56 UTC
I've had the same problem. I was unable to access the firefox history anymore. A
'/sbin/restorecon -Rv .mozilla' did the trick for me.

Comment 2 Daniel Walsh 2008-07-02 17:57:58 UTC
This is an upgrade problem.  You can fix it by executing the restorecon command
above.


Note You need to log in before you can comment on or make changes to this bug.