Bug 448118 - SELinux is preventing firefox from creating a file with a context of unlabeled_t on a filesystem
SELinux is preventing firefox from creating a file with a context of unlabele...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-23 11:39 EDT by Dean Mander
Modified: 2008-07-02 13:57 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-02 13:57:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dean Mander 2008-05-23 11:39:31 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.4 (like Gecko) Fedora/4.0.4-4.fc9

Description of problem:
After upgrading to
and using firefox-3.0-0.60.beta5.fc9.x86_64

I have next (pasted in section "additional information") selinux error, and
firefox doesn't startup correctly anymore.

stderr output of firefox:
Adblock plus: failed write pattern to file
<home>/.mozilla/firefox/2xkf909o.default/adblockplus/patterns.ini: [Exception...
"Component returned failure code: 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)
[nsIFileOutputStream.init]"  nsresult: "0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)" 
location: "JS frame :: chrome://adblockplus/content/prefs.js :: anonymous :: line
767"  data: no]

When I scratch my $HOME/.mozilla folder, problem is gone. But I need my personal
data :)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install described components on x86_64 
2. run firefox

Actual Results:

Expected Results:

Additional info:


SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem.

Detailed Description:

SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem. Usually this happens when you ask the cp command to maintain
the context of a file when copying between file systems, "cp -a" for example.
Not all file contexts should be maintained between the file systems. For
example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t
Target Context                system_u:object_r:fs_t
Target Objects                cookies.sqlite-journal [ filesystem ]
Source                        firefox
Source Path                   /usr/lib64/firefox-3.0b5/firefox
Port                          <Unknown>
Source RPM Packages           firefox-3.0-0.60.beta5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Platform                      Linux obelix #1 SMP Tue May
                              13 04:54:47 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Fri 23 May 2008 05:10:51 PM CEST
Last Seen                     Fri 23 May 2008 05:34:12 PM CEST
Local ID                      d8a700cf-2c6f-4dd5-830d-4050a339fbe8
Line Numbers                  

Raw Audit Messages            

host=myhostname type=AVC msg=audit(1211556852.662:254): avc:  denied  { associate
} for  pid=8993 comm="firefox" name="cookies.sqlite-journal"
scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0

host=myhostname type=SYSCALL msg=audit(1211556852.662:254): arch=c000003e
syscall=2 success=no exit=-13 a0=2ca2c7e a1=c2 a2=1a4 a3=0 items=0 ppid=8976
pid=8993 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=pts10 ses=1 comm="firefox" exe="/usr/lib64/firefox-3.0b5/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Christian Nolte 2008-05-24 10:45:56 EDT
I've had the same problem. I was unable to access the firefox history anymore. A
'/sbin/restorecon -Rv .mozilla' did the trick for me.
Comment 2 Daniel Walsh 2008-07-02 13:57:58 EDT
This is an upgrade problem.  You can fix it by executing the restorecon command

Note You need to log in before you can comment on or make changes to this bug.