Summary: SELinux is preventing soffice (nsplugin_t) "execute" to ./soffice.bin (openoffice_exec_t). Detailed Description: SELinux denied access requested by soffice. It is not expected that this access is required by soffice and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./soffice.bin, restorecon -v './soffice.bin' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context system_u:object_r:openoffice_exec_t:s0 Target Objects ./soffice.bin [ file ] Source soffice Source Path /bin/bash Port <Unknown> Host ethanol Source RPM Packages bash-3.2-28.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-8.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name ethanol Platform Linux ethanol 2.6.27.4-58.fc10.i686 #1 SMP Mon Oct 27 18:21:44 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 29 Oct 2008 02:32:23 PM MDT Last Seen Wed 29 Oct 2008 02:32:23 PM MDT Local ID ba2abd70-18c3-45fc-a719-244ab4a10ec8 Line Numbers Raw Audit Messages node=ethanol type=AVC msg=audit(1225312343.325:234): avc: denied { execute } for pid=17496 comm="soffice" name="soffice.bin" dev=dm-0 ino=2433331 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openoffice_exec_t:s0 tclass=file node=ethanol type=SYSCALL msg=audit(1225312343.325:234): arch=40000003 syscall=11 success=no exit=-13 a0=9c242a8 a1=9c23c38 a2=9c24520 a3=0 items=0 ppid=17488 pid=17496 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=18 comm="soffice" exe="/bin/bash" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Why is openoffice running as a plugin. This is not advisable, it should not run under nspluginwrapper.
As with bug 469092, I have no idea. I didn't setup anything manually; whatever was setup as part of the normal install process is what led to this.
Could you check what plugins you have installed? rpm -qa \*plug\*
gstreamer-plugins-farsight-0.12.9-3.fc10.i386 plymouth-plugin-solar-0.6.0-0.2008.10.27.5.fc10.i386 gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.i386 anaconda-yum-plugins-1.0-3.fc10.noarch nspluginwrapper-1.1.2-4.fc10.i386 gstreamer-plugins-good-0.10.11-1.fc10.i386 flash-plugin-9.0.124.0-release.i386 totem-mozplugin-2.24.3-1.fc10.i386 PackageKit-yum-plugin-0.3.9-1.fc10.i386 alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.i386 plymouth-plugin-label-0.6.0-0.2008.10.27.5.fc10.i386 plymouth-plugin-spinfinity-0.6.0-0.2008.10.27.5.fc10.i386 PackageKit-gstreamer-plugin-0.3.9-1.fc10.i386 mozplugger-1.10.1-3.fc10.i386 libmodplug-0.8.4-3.fc9.i386 gstreamer-plugins-base-0.10.21-2.fc10.i386 setroubleshoot-plugins-2.0.10-1.fc10.noarch java-1.6.0-openjdk-plugin-1.6.0.0-1.1.b12.fc10.i386
The problem is mozplugger If you yum remove this package everything will work.
So, I can do that, but then it becomes a question of "non-sucky defaults". Does it make sense to install mozplugger by default (for whatever other reasons)? If yes, then either it needs to be fixed to not run OO.o as a plugin or the SELinux policy needs to be adjusted so users don't become frustrated. If no, then we should stop installing it on a default F10 install. Thoughts?
I just opened a bugzilla on it. # rpm -q --whatrequires mozplugger no package requires mozplugger Nothing requires it so it must have gotten added to the base package.
This bug has been triaged
*** This bug has been marked as a duplicate of bug 469092 ***