Summary: SELinux is preventing soffice (nsplugin_t) "getattr" to /usr/lib/openoffice.org/ure/bin/javaldx (java_exec_t). Detailed Description: SELinux denied access requested by soffice. It is not expected that this access is required by soffice and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/lib/openoffice.org/ure/bin/javaldx, restorecon -v '/usr/lib/openoffice.org/ure/bin/javaldx' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context system_u:object_r:java_exec_t:s0 Target Objects /usr/lib/openoffice.org/ure/bin/javaldx [ file ] Source soffice Source Path /bin/bash Port <Unknown> Host ethanol Source RPM Packages bash-3.2-28.fc10 Target RPM Packages openoffice.org-ure-3.0.0-9.6.fc10 Policy RPM selinux-policy-3.5.13-8.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name ethanol Platform Linux ethanol 2.6.27.4-58.fc10.i686 #1 SMP Mon Oct 27 18:21:44 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 29 Oct 2008 02:32:23 PM MDT Last Seen Wed 29 Oct 2008 02:32:23 PM MDT Local ID 5feff58a-6060-4e1a-a64d-0644196bcecd Line Numbers Raw Audit Messages node=ethanol type=AVC msg=audit(1225312343.322:233): avc: denied { getattr } for pid=17488 comm="soffice" path="/usr/lib/openoffice.org/ure/bin/javaldx" dev=dm-0 ino=2449904 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=file node=ethanol type=SYSCALL msg=audit(1225312343.322:233): arch=40000003 syscall=195 success=no exit=-13 a0=9c24310 a1=bfe2d4bc a2=c54ff4 a3=9c24312 items=0 ppid=17487 pid=17488 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=18 comm="soffice" exe="/bin/bash" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
nsplugin should not be attempring to run openoffice. openoffice should not run within an nsplugin wrapper. Did you set this up or is there some package that is trying to do this?
*** Bug 469094 has been marked as a duplicate of this bug. ***
I didn't set up anything manually; I just accepted whatever defaults come when you install F10/rawhide. The reason I got the message was that someone sent me a URL that pointed at a Word document. I simply pasted the url into my browser (ff3) and then got those SELinux alerts. Is there any sort of debugging or package list you'd like me to provide?
rpm -qa \*plug\*
gstreamer-plugins-farsight-0.12.9-3.fc10.i386 plymouth-plugin-solar-0.6.0-0.2008.10.27.5.fc10.i386 gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.i386 anaconda-yum-plugins-1.0-3.fc10.noarch nspluginwrapper-1.1.2-4.fc10.i386 gstreamer-plugins-good-0.10.11-1.fc10.i386 flash-plugin-9.0.124.0-release.i386 totem-mozplugin-2.24.3-1.fc10.i386 PackageKit-yum-plugin-0.3.9-1.fc10.i386 alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.i386 plymouth-plugin-label-0.6.0-0.2008.10.27.5.fc10.i386 plymouth-plugin-spinfinity-0.6.0-0.2008.10.27.5.fc10.i386 PackageKit-gstreamer-plugin-0.3.9-1.fc10.i386 mozplugger-1.10.1-3.fc10.i386 libmodplug-0.8.4-3.fc9.i386 gstreamer-plugins-base-0.10.21-2.fc10.i386 setroubleshoot-plugins-2.0.10-1.fc10.noarch java-1.6.0-openjdk-plugin-1.6.0.0-1.1.b12.fc10.i386
This bug has been triaged
The problem is mozplugger wants to run a whole bunch of the desktop under nspluginwrapper. (openoffice, evince, totem...) nsplugin_t is not allowing desktop apps to run. You have two choices, either remove the mozplugger rpm, or at least openoffice from /etc/mozpluggerrc rpm -e mozplugger Or turn off SELinux protection over nsplugin. setsebool -P allow_unconfined_nsplugin_transition 0
*** Bug 469095 has been marked as a duplicate of this bug. ***
This somehow seems to be the default setup after upgrading to Fedora 10 from Fedora 9. Loading OpenOffice documents from the browser working with F9 but is broken after upgrading to F10 with the same SELinux denial(s) shown above. I've now removed mozplugger and will see if this makes a difference when the browser is next restarted. I don't know why nspluginwrapper is installed when every plugin should be 64-bit. $ rpm -qa \*plug\* java-1.6.0-openjdk-plugin-1.6.0.0-2b12.fc10.x86_64 PackageKit-yum-plugin-0.3.9-4.fc10.x86_64 alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.x86_64 gstreamer-plugins-base-0.10.21-2.fc10.x86_64 nspluginwrapper-1.1.2-4.fc10.x86_64 plymouth-plugin-spinfinity-0.6.0-0.2008.10.30.4.fc10.x86_64 anaconda-yum-plugins-1.0-3.fc10.noarch totem-mozplugin-2.24.3-1.fc10.x86_64 plymouth-plugin-solar-0.6.0-0.2008.10.30.4.fc10.x86_64 setroubleshoot-plugins-2.0.10-1.fc10.noarch plymouth-plugin-label-0.6.0-0.2008.10.30.4.fc10.x86_64 gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.x86_64 gstreamer-plugins-good-0.10.11-1.fc10.x86_64 libmodplug-0.8.4-3.fc9.x86_64 maven-shared-plugin-testing-harness-1.0-4.6.fc10.x86_64 PackageKit-gstreamer-plugin-0.3.9-4.fc10.x86_64
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping