Bug 469092 - SELinux is preventing soffice (nsplugin_t) "getattr" to /usr/lib/openoffice.org/ure/bin/javaldx (java_exec_t).
SELinux is preventing soffice (nsplugin_t) "getattr" to /usr/lib/openoffice.o...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 469094 469095 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-29 16:34 EDT by Alex Chiang
Modified: 2009-01-08 13:35 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-08 13:35:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Chiang 2008-10-29 16:34:53 EDT
Summary:

SELinux is preventing soffice (nsplugin_t) "getattr" to
/usr/lib/openoffice.org/ure/bin/javaldx (java_exec_t).

Detailed Description:

SELinux denied access requested by soffice. It is not expected that this access
is required by soffice and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/lib/openoffice.org/ure/bin/javaldx,

restorecon -v '/usr/lib/openoffice.org/ure/bin/javaldx'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:java_exec_t:s0
Target Objects                /usr/lib/openoffice.org/ure/bin/javaldx [ file ]
Source                        soffice
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ethanol
Source RPM Packages           bash-3.2-28.fc10
Target RPM Packages           openoffice.org-ure-3.0.0-9.6.fc10
Policy RPM                    selinux-policy-3.5.13-8.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     ethanol
Platform                      Linux ethanol 2.6.27.4-58.fc10.i686 #1 SMP Mon Oct
                              27 18:21:44 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 29 Oct 2008 02:32:23 PM MDT
Last Seen                     Wed 29 Oct 2008 02:32:23 PM MDT
Local ID                      5feff58a-6060-4e1a-a64d-0644196bcecd
Line Numbers                  

Raw Audit Messages            

node=ethanol type=AVC msg=audit(1225312343.322:233): avc:  denied  { getattr } for  pid=17488 comm="soffice" path="/usr/lib/openoffice.org/ure/bin/javaldx" dev=dm-0 ino=2449904 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=file

node=ethanol type=SYSCALL msg=audit(1225312343.322:233): arch=40000003 syscall=195 success=no exit=-13 a0=9c24310 a1=bfe2d4bc a2=c54ff4 a3=9c24312 items=0 ppid=17487 pid=17488 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=18 comm="soffice" exe="/bin/bash" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-10-30 14:28:43 EDT
nsplugin should not be attempring to run openoffice.  openoffice should not run within an nsplugin wrapper.  Did you set this up or is there some package that is trying to do this?
Comment 2 Daniel Walsh 2008-10-30 14:29:35 EDT
*** Bug 469094 has been marked as a duplicate of this bug. ***
Comment 3 Alex Chiang 2008-10-30 14:48:31 EDT
I didn't set up anything manually; I just accepted whatever defaults come when you install F10/rawhide.

The reason I got the message was that someone sent me a URL that pointed at a Word document. I simply pasted the url into my browser (ff3) and then got those SELinux alerts.

Is there any sort of debugging or package list you'd like me to provide?
Comment 4 Daniel Walsh 2008-10-30 15:06:38 EDT
rpm -qa \*plug\*
Comment 5 Alex Chiang 2008-10-30 16:02:34 EDT
gstreamer-plugins-farsight-0.12.9-3.fc10.i386
plymouth-plugin-solar-0.6.0-0.2008.10.27.5.fc10.i386
gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.i386
anaconda-yum-plugins-1.0-3.fc10.noarch
nspluginwrapper-1.1.2-4.fc10.i386
gstreamer-plugins-good-0.10.11-1.fc10.i386
flash-plugin-9.0.124.0-release.i386
totem-mozplugin-2.24.3-1.fc10.i386
PackageKit-yum-plugin-0.3.9-1.fc10.i386
alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.i386
plymouth-plugin-label-0.6.0-0.2008.10.27.5.fc10.i386
plymouth-plugin-spinfinity-0.6.0-0.2008.10.27.5.fc10.i386
PackageKit-gstreamer-plugin-0.3.9-1.fc10.i386
mozplugger-1.10.1-3.fc10.i386
libmodplug-0.8.4-3.fc9.i386
gstreamer-plugins-base-0.10.21-2.fc10.i386
setroubleshoot-plugins-2.0.10-1.fc10.noarch
java-1.6.0-openjdk-plugin-1.6.0.0-1.1.b12.fc10.i386
Comment 6 Brennan Ashton 2008-11-03 23:50:56 EST
This bug has been triaged
Comment 7 Daniel Walsh 2008-11-04 08:30:26 EST
The problem is mozplugger wants to run a whole bunch of the desktop under nspluginwrapper.  (openoffice, evince, totem...)  nsplugin_t is not allowing desktop apps to run.  You have two choices, either remove the mozplugger rpm, or at least openoffice from /etc/mozpluggerrc

rpm -e mozplugger

Or turn off SELinux protection over nsplugin.

setsebool -P allow_unconfined_nsplugin_transition 0
Comment 8 Daniel Walsh 2008-11-04 08:47:44 EST
*** Bug 469095 has been marked as a duplicate of this bug. ***
Comment 9 Andrew John Hughes 2008-11-12 10:07:49 EST
This somehow seems to be the default setup after upgrading to Fedora 10 from Fedora 9.  Loading OpenOffice documents from the browser working with F9 but is broken after upgrading to F10 with the same SELinux denial(s) shown above.  I've now removed mozplugger and will see if this makes a difference when the browser is next restarted. I don't know why nspluginwrapper is installed when every plugin should be 64-bit.

$ rpm -qa \*plug\*
java-1.6.0-openjdk-plugin-1.6.0.0-2b12.fc10.x86_64
PackageKit-yum-plugin-0.3.9-4.fc10.x86_64
alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.x86_64
gstreamer-plugins-base-0.10.21-2.fc10.x86_64
nspluginwrapper-1.1.2-4.fc10.x86_64
plymouth-plugin-spinfinity-0.6.0-0.2008.10.30.4.fc10.x86_64
anaconda-yum-plugins-1.0-3.fc10.noarch
totem-mozplugin-2.24.3-1.fc10.x86_64
plymouth-plugin-solar-0.6.0-0.2008.10.30.4.fc10.x86_64
setroubleshoot-plugins-2.0.10-1.fc10.noarch
plymouth-plugin-label-0.6.0-0.2008.10.30.4.fc10.x86_64
gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.x86_64
gstreamer-plugins-good-0.10.11-1.fc10.x86_64
libmodplug-0.8.4-3.fc9.x86_64
maven-shared-plugin-testing-harness-1.0-4.6.fc10.x86_64
PackageKit-gstreamer-plugin-0.3.9-4.fc10.x86_64
Comment 10 Bug Zapper 2008-11-25 23:27:57 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.