Bug 473933 - incorrect context for icedtea-plugin-to-appletviewer, denying npviewer.bin (nspluginwrapper)
Summary: incorrect context for icedtea-plugin-to-appletviewer, denying npviewer.bin (n...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-01 14:29 UTC by Karsten Wade
Modified: 2008-12-05 13:35 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-04 07:53:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Output of 'rpm -qlp selinux-policy-3.5.13-26.fc10.noarch.rpm' (16.65 KB, text/plain)
2008-12-04 02:51 UTC, Karsten Wade
no flags Details

Description Karsten Wade 2008-12-01 14:29:44 UTC
SELinux policy is denying nspluginwrapper access to /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer.  However, policy does not have a special context for that file -- after running 'restorecon', the context remains the same.  It is also not clear to me what context to set the file to so I can do it manually

[kwade@calliope ~]$ ls -Z /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer
[kwade@calliope ~]$ restorecon -v /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer
[kwade@calliope ~]$ ls -Z /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer


Summary:

SELinux is preventing the npviewer.bin from using potentially mislabeled files
(/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer).

Detailed Description:

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that
SELinux will not allow npviewer.bin to use these files. It is common for users
to edit files in their home directory or tmp directories and then move (mv) them
to system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v '/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer'. You
might want to relabel the entire directory using restorecon -R -v '<Unknown>'.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/kwade/.icedteaplugin/icedtea-plugin-to-
                              appletviewer [ fifo_file ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          calliope.phig.org
Source RPM Packages           nspluginwrapper-1.1.2-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     calliope.phig.org
Platform                      Linux calliope.phig.org 2.6.27.5-117.fc10.i686 #1
                              SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Alert Count                   55
First Seen                    Mon 01 Dec 2008 05:42:39 AM PST
Last Seen                     Mon 01 Dec 2008 05:49:06 AM PST
Local ID                      a5b52786-161a-44ad-b235-73481fdffafc
Line Numbers                  

Raw Audit Messages            

node=calliope.phig.org type=AVC msg=audit(1228139346.346:113): avc:  denied  { write } for  pid=5904 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-4 ino=3655548 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file

node=calliope.phig.org type=AVC msg=audit(1228139346.346:113): avc:  denied  { read } for  pid=5904 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-4 ino=3654846 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file

node=calliope.phig.org type=SYSCALL msg=audit(1228139346.346:113): arch=40000003 syscall=11 success=yes exit=0 a0=8ccda78 a1=8cce300 a2=8ccd350 a3=0 items=0 ppid=4421 pid=5904 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null)

Comment 1 Daniel Walsh 2008-12-01 18:38:41 UTC
Fixed in selinux-policy-3.5.13-26.fc10.

Upgrade policy and run 

restorecon -R -v /home

Comment 2 Karsten Wade 2008-12-02 07:21:51 UTC
I've loaded that policy (and had to reboot in to it several times); also ran restorecon multiple times; still receiving the same/similar AVC denial.  The files stubbornly remain with the incorrect context.  Am I missing something obvious?

ls -Z ../.icedteaplugin/icedtea-*
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-appletviewer-to-plugin
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-plugin-to-appletviewer
[kwade@calliope Desktop]$ restorecon -v ../.icedteaplugin/icedtea-*
[kwade@calliope Desktop]$ ls -Z ../.icedteaplugin/icedtea-*
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-appletviewer-to-plugin
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-plugin-to-appletviewer


Summary:

SELinux is preventing the npviewer.bin from using potentially mislabeled files
(/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer).

Detailed Description:

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that
SELinux will not allow npviewer.bin to use these files. It is common for users
to edit files in their home directory or tmp directories and then move (mv) them
to system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v '/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer'. You
might want to relabel the entire directory using restorecon -R -v '<Unknown>'.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/kwade/.icedteaplugin/icedtea-plugin-to-
                              appletviewer [ fifo_file ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          calliope.phig.org
Source RPM Packages           nspluginwrapper-1.1.2-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     calliope.phig.org
Platform                      Linux calliope.phig.org 2.6.27.5-117.fc10.i686 #1
                              SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Alert Count                   107
First Seen                    Mon 01 Dec 2008 05:42:39 AM PST
Last Seen                     Mon 01 Dec 2008 11:04:02 PM PST
Local ID                      a5b52786-161a-44ad-b235-73481fdffafc
Line Numbers                  

Raw Audit Messages            

node=calliope.phig.org type=AVC msg=audit(1228201442.38:76): avc:  denied  { write } for  pid=4930 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-4 ino=1048621 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file

node=calliope.phig.org type=AVC msg=audit(1228201442.38:76): avc:  denied  { read } for  pid=4930 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-4 ino=1048620 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file

node=calliope.phig.org type=SYSCALL msg=audit(1228201442.38:76): arch=40000003 syscall=11 success=yes exit=0 a0=8425020 a1=84250b8 a2=8422308 a3=0 items=0 ppid=4417 pid=4930 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null)

Comment 3 Daniel Walsh 2008-12-02 13:54:56 UTC
$ matchpathcon ~/.icedteaplugin
/home/devel/dwalsh/.icedteaplugin	system_u:object_r:nsplugin_home_t:s0
$ rpm -q selinux-policy
selinux-policy-3.5.13-26.fc10.noarch

Comment 4 Karsten Wade 2008-12-03 16:58:02 UTC
Yeah, this is odd.

[kwade@calliope Desktop]$ matchpathcon ~/.icedteaplugin/
/home/kwade/.icedteaplugin/	system_u:object_r:user_home_t:s0
[kwade@calliope Desktop]$ rpm -q selinux-policy
selinux-policy-3.5.13-26.fc10.noarch
[kwade@calliope Desktop]$ restorecon -v ~/.icedteaplugin
[kwade@calliope Desktop]$ matchpathcon ~/.icedteaplugin/
/home/kwade/.icedteaplugin/	system_u:object_r:user_home_t:s0
[kwade@calliope Desktop]$ sudo restorecon -v ~/.icedteaplugin
[kwade@calliope Desktop]$ matchpathcon ~/.icedteaplugin/
/home/kwade/.icedteaplugin/	system_u:object_r:user_home_t:s0
[kwade@calliope Desktop]$ ls -Z ~/.icedteaplugin/
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 icedtea-appletviewer-to-plugin
prwx------  kwade kwade unconfined_u:object_r:user_home_t:s0 icedtea-plugin-to-appletviewer

So ... I can chcon manually, but something must be wrong that I'm not seeing.

When I installed this new policy, I ran restorecon on /.  I received a large number of avc denials (437) with a summary of:

  SELinux is preventing restorecon (setfiles_t) "net_admin" setfiles_t.

Should I flip the bit to relabel the file system then reboot?

Comment 5 Daniel Walsh 2008-12-03 22:26:01 UTC
I am not sure you have the policy fully updated, could you try to reinstall the package and see if anything goes wrong?

# grep icedtea /etc/selinux/targeted/contexts/files/*
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/[^/]*/\.icedteaplugin(/.*)?	system_u:object_r:nsplugin_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/pwalsh/[^/]*/\.icedteaplugin(/.*)?	system_u:object_r:nsplugin_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:/usr/lib/oracle/[^/]*/\.icedteaplugin(/.*)?	system_u:object_r:nsplugin_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/dwalsh/\.icedteaplugin(/.*)?	system_u:object_r:nsplugin_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:/root/\.icedteaplugin(/.*)?	system_u:object_r:nsplugin_home_t:s0

Comment 6 Karsten Wade 2008-12-04 02:48:18 UTC
I ran 'yum reinstall selinux-policy'; I had the package from testing and this got it from updates.  Nothing is different with the policy after the reinstall.

* A search as in comment #5 turns up no result
* 'matchpathcon' still says user_home_t

I pulled down a copy of the RPM for review and it is a bit strange.  There are no contents in the included /etc directory (0 bytes), while the /usr has 6.3 MiB.

http://mirrors.kernel.org/fedora/updates/10/i386/selinux-policy-3.5.13-26.fc10.noarch.rpm

I'll attach separately a run of 'rpm -qlp' on that package, you can see /etc/selinux/targeted tree is not there.  I see the same thing in packages from other mirrors.

Comment 7 Karsten Wade 2008-12-04 02:51:02 UTC
Created attachment 325628 [details]
Output of 'rpm -qlp selinux-policy-3.5.13-26.fc10.noarch.rpm'

Comment 8 Karsten Wade 2008-12-04 07:53:23 UTC
Feeling a mixture of stupid and confused.  The solution is here in the bug -- I was only updating 'selinux-policy' and hadn't yet updated 'selinux-policy-targeted'.  The confusion is, why didn't that get grabbed when I did 'yum --enablerepo=updates-testing selinux-policy'?

I happened to run a full system update tonight and saw that 'selinux-policy-targeted' was set to update.  It hit me immediately and I ran matchpathcon before and after the update, then restorecon:

[kwade@calliope ~]$ matchpathcon /home/kwade/.icedteaplugin/
/home/kwade/.icedteaplugin/	system_u:object_r:user_home_t:s0
[kwade@calliope ~]$ matchpathcon /home/kwade/.icedteaplugin/
/home/kwade/.icedteaplugin/	system_u:object_r:nsplugin_home_t:s0
[kwade@calliope ~]$ restorecon -R -v ~/.icedteaplugin/
restorecon reset /home/kwade/.icedteaplugin context unconfined_u:object_r:user_home_t:s0->system_u:object_r:nsplugin_home_t:s0
restorecon reset /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer context unconfined_u:object_r:user_home_t:s0->system_u:object_r:nsplugin_home_t:s0
restorecon reset /home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin context unconfined_u:object_r:user_home_t:s0->system_u:object_r:nsplugin_home_t:s0

Tested with a plugin in Firefox, no AVC denials.  All is victory!  Problem here solved, closing the bug, thanks.

Still, isn't it strange that I could have a different 'selinux-policy' package than the actual policy package?  Not that they couldn't interoperate, just that it was possible them to be different by version without a dependency error?  Even the yum reinstall didn't catch the mismatch of versions between the two packages.

Comment 9 Karsten Wade 2008-12-05 00:54:44 UTC
Not sure if I should reopen this bug or start a new one, but ... I just restarted Firefox with multiple tabs and received 40+ errors, this time with an apparently correct target context!

I was certain it was working before, but probably not.  Running restorecon right now does not relabel.

[kwade@calliope .icedteaplugin]$ restorecon -Rv *
[kwade@calliope .icedteaplugin]$ ls -Z
prwx------  kwade kwade unconfined_u:object_r:nsplugin_home_t:s0 icedtea-appletviewer-to-plugin
prwx------  kwade kwade unconfined_u:object_r:nsplugin_home_t:s0 icedtea-plugin-to-appletviewer


Summary:

SELinux is preventing the npviewer.bin from using potentially mislabeled files
(/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer).

Detailed Description:

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that
SELinux will not allow npviewer.bin to use these files. It is common for users
to edit files in their home directory or tmp directories and then move (mv) them
to system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v '/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer'. You
might want to relabel the entire directory using restorecon -R -v '<Unknown>'.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0
Target Context                unconfined_u:object_r:nsplugin_home_t:s0
Target Objects                /home/kwade/.icedteaplugin/icedtea-plugin-to-
                              appletviewer [ fifo_file ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          calliope.phig.org
Source RPM Packages           nspluginwrapper-1.1.2-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     calliope.phig.org
Platform                      Linux calliope.phig.org 2.6.27.5-117.fc10.i686 #1
                              SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Alert Count                   42
First Seen                    Thu 04 Dec 2008 04:35:11 PM PST
Last Seen                     Thu 04 Dec 2008 04:44:19 PM PST
Local ID                      df0a41c0-a163-44e7-adea-b7bd67ad5463
Line Numbers                  

Raw Audit Messages            

node=calliope.phig.org type=AVC msg=audit(1228437859.826:3337): avc:  denied  { write } for  pid=10110 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-4 ino=7094340 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:nsplugin_home_t:s0 tclass=fifo_file

node=calliope.phig.org type=AVC msg=audit(1228437859.826:3337): avc:  denied  { read } for  pid=10110 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-4 ino=7094326 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:nsplugin_home_t:s0 tclass=fifo_file

node=calliope.phig.org type=SYSCALL msg=audit(1228437859.826:3337): arch=40000003 syscall=11 success=yes exit=0 a0=8da6450 a1=8da6a60 a2=8da65b8 a3=0 items=0 ppid=8851 pid=10110 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null)

Comment 10 Daniel Walsh 2008-12-05 13:35:43 UTC
Ok Adding the ability for nsplugin to manage fifo and sock files in the nsplugin_home_t.

Fixed in selinux-policy-3.5.13-33.fc10.src.rpm


Note You need to log in before you can comment on or make changes to this bug.