Bug 469095 - SELinux is preventing soffice (nsplugin_t) "execute" to ./soffice.bin (openoffice_exec_t).
SELinux is preventing soffice (nsplugin_t) "execute" to ./soffice.bin (openof...
Status: CLOSED DUPLICATE of bug 469092
Product: Fedora
Classification: Fedora
Component: mozplugger (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-29 16:39 EDT by Alex Chiang
Modified: 2008-11-04 08:47 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-04 08:47:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Chiang 2008-10-29 16:39:45 EDT
Summary:

SELinux is preventing soffice (nsplugin_t) "execute" to ./soffice.bin
(openoffice_exec_t).

Detailed Description:

SELinux denied access requested by soffice. It is not expected that this access
is required by soffice and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./soffice.bin,

restorecon -v './soffice.bin'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:openoffice_exec_t:s0
Target Objects                ./soffice.bin [ file ]
Source                        soffice
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ethanol
Source RPM Packages           bash-3.2-28.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-8.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     ethanol
Platform                      Linux ethanol 2.6.27.4-58.fc10.i686 #1 SMP Mon Oct
                              27 18:21:44 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 29 Oct 2008 02:32:23 PM MDT
Last Seen                     Wed 29 Oct 2008 02:32:23 PM MDT
Local ID                      ba2abd70-18c3-45fc-a719-244ab4a10ec8
Line Numbers                  

Raw Audit Messages            

node=ethanol type=AVC msg=audit(1225312343.325:234): avc:  denied  { execute } for  pid=17496 comm="soffice" name="soffice.bin" dev=dm-0 ino=2433331 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openoffice_exec_t:s0 tclass=file

node=ethanol type=SYSCALL msg=audit(1225312343.325:234): arch=40000003 syscall=11 success=no exit=-13 a0=9c242a8 a1=9c23c38 a2=9c24520 a3=0 items=0 ppid=17488 pid=17496 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=18 comm="soffice" exe="/bin/bash" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-10-30 14:02:03 EDT
Why is openoffice running as a plugin.  This is not advisable, it should not run under nspluginwrapper.
Comment 2 Alex Chiang 2008-10-30 14:50:00 EDT
As with bug 469092, I have no idea. I didn't setup anything manually; whatever was setup as part of the normal install process is what led to this.
Comment 3 Daniel Walsh 2008-10-30 15:05:47 EDT
Could you check what plugins you have installed?

rpm -qa \*plug\*
Comment 4 Alex Chiang 2008-10-30 16:03:02 EDT
gstreamer-plugins-farsight-0.12.9-3.fc10.i386
plymouth-plugin-solar-0.6.0-0.2008.10.27.5.fc10.i386
gstreamer-plugins-flumpegdemux-0.10.15-4.fc10.i386
anaconda-yum-plugins-1.0-3.fc10.noarch
nspluginwrapper-1.1.2-4.fc10.i386
gstreamer-plugins-good-0.10.11-1.fc10.i386
flash-plugin-9.0.124.0-release.i386
totem-mozplugin-2.24.3-1.fc10.i386
PackageKit-yum-plugin-0.3.9-1.fc10.i386
alsa-plugins-pulseaudio-1.0.18-1.rc3.fc10.i386
plymouth-plugin-label-0.6.0-0.2008.10.27.5.fc10.i386
plymouth-plugin-spinfinity-0.6.0-0.2008.10.27.5.fc10.i386
PackageKit-gstreamer-plugin-0.3.9-1.fc10.i386
mozplugger-1.10.1-3.fc10.i386
libmodplug-0.8.4-3.fc9.i386
gstreamer-plugins-base-0.10.21-2.fc10.i386
setroubleshoot-plugins-2.0.10-1.fc10.noarch
java-1.6.0-openjdk-plugin-1.6.0.0-1.1.b12.fc10.i386
Comment 5 Daniel Walsh 2008-10-30 16:24:27 EDT
The problem is mozplugger

If you yum remove this package everything will work.
Comment 6 Alex Chiang 2008-10-30 16:31:05 EDT
So, I can do that, but then it becomes a question of "non-sucky defaults".

Does it make sense to install mozplugger by default (for whatever other reasons)?

If yes, then either it needs to be fixed to not run OO.o as a plugin or the SELinux policy needs to be adjusted so users don't become frustrated.

If no, then we should stop installing it on a default F10 install.

Thoughts?
Comment 7 Daniel Walsh 2008-10-30 16:40:26 EDT
I just opened a bugzilla on it.

# rpm -q --whatrequires mozplugger
no package requires mozplugger

Nothing requires it so it must have gotten added to the base package.
Comment 8 Brennan Ashton 2008-11-03 23:52:38 EST
This bug has been triaged
Comment 9 Daniel Walsh 2008-11-04 08:47:44 EST

*** This bug has been marked as a duplicate of bug 469092 ***

Note You need to log in before you can comment on or make changes to this bug.