SELinux policy is denying nspluginwrapper access to /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer. However, policy does not have a special context for that file -- after running 'restorecon', the context remains the same. It is also not clear to me what context to set the file to so I can do it manually [kwade@calliope ~]$ ls -Z /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer [kwade@calliope ~]$ restorecon -v /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer [kwade@calliope ~]$ ls -Z /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer Summary: SELinux is preventing the npviewer.bin from using potentially mislabeled files (/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). Detailed Description: SELinux has denied npviewer.bin access to potentially mislabeled file(s) (/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that SELinux will not allow npviewer.bin to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want npviewer.bin to access this files, you need to relabel them using restorecon -v '/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer'. You might want to relabel the entire directory using restorecon -R -v '<Unknown>'. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/kwade/.icedteaplugin/icedtea-plugin-to- appletviewer [ fifo_file ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host calliope.phig.org Source RPM Packages nspluginwrapper-1.1.2-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name calliope.phig.org Platform Linux calliope.phig.org 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 55 First Seen Mon 01 Dec 2008 05:42:39 AM PST Last Seen Mon 01 Dec 2008 05:49:06 AM PST Local ID a5b52786-161a-44ad-b235-73481fdffafc Line Numbers Raw Audit Messages node=calliope.phig.org type=AVC msg=audit(1228139346.346:113): avc: denied { write } for pid=5904 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-4 ino=3655548 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file node=calliope.phig.org type=AVC msg=audit(1228139346.346:113): avc: denied { read } for pid=5904 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-4 ino=3654846 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file node=calliope.phig.org type=SYSCALL msg=audit(1228139346.346:113): arch=40000003 syscall=11 success=yes exit=0 a0=8ccda78 a1=8cce300 a2=8ccd350 a3=0 items=0 ppid=4421 pid=5904 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null)
Fixed in selinux-policy-3.5.13-26.fc10. Upgrade policy and run restorecon -R -v /home
I've loaded that policy (and had to reboot in to it several times); also ran restorecon multiple times; still receiving the same/similar AVC denial. The files stubbornly remain with the incorrect context. Am I missing something obvious? ls -Z ../.icedteaplugin/icedtea-* prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-appletviewer-to-plugin prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-plugin-to-appletviewer [kwade@calliope Desktop]$ restorecon -v ../.icedteaplugin/icedtea-* [kwade@calliope Desktop]$ ls -Z ../.icedteaplugin/icedtea-* prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-appletviewer-to-plugin prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 ../.icedteaplugin/icedtea-plugin-to-appletviewer Summary: SELinux is preventing the npviewer.bin from using potentially mislabeled files (/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). Detailed Description: SELinux has denied npviewer.bin access to potentially mislabeled file(s) (/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that SELinux will not allow npviewer.bin to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want npviewer.bin to access this files, you need to relabel them using restorecon -v '/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer'. You might want to relabel the entire directory using restorecon -R -v '<Unknown>'. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/kwade/.icedteaplugin/icedtea-plugin-to- appletviewer [ fifo_file ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host calliope.phig.org Source RPM Packages nspluginwrapper-1.1.2-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-26.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name calliope.phig.org Platform Linux calliope.phig.org 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 107 First Seen Mon 01 Dec 2008 05:42:39 AM PST Last Seen Mon 01 Dec 2008 11:04:02 PM PST Local ID a5b52786-161a-44ad-b235-73481fdffafc Line Numbers Raw Audit Messages node=calliope.phig.org type=AVC msg=audit(1228201442.38:76): avc: denied { write } for pid=4930 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-4 ino=1048621 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file node=calliope.phig.org type=AVC msg=audit(1228201442.38:76): avc: denied { read } for pid=4930 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-4 ino=1048620 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file node=calliope.phig.org type=SYSCALL msg=audit(1228201442.38:76): arch=40000003 syscall=11 success=yes exit=0 a0=8425020 a1=84250b8 a2=8422308 a3=0 items=0 ppid=4417 pid=4930 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null)
$ matchpathcon ~/.icedteaplugin /home/devel/dwalsh/.icedteaplugin system_u:object_r:nsplugin_home_t:s0 $ rpm -q selinux-policy selinux-policy-3.5.13-26.fc10.noarch
Yeah, this is odd. [kwade@calliope Desktop]$ matchpathcon ~/.icedteaplugin/ /home/kwade/.icedteaplugin/ system_u:object_r:user_home_t:s0 [kwade@calliope Desktop]$ rpm -q selinux-policy selinux-policy-3.5.13-26.fc10.noarch [kwade@calliope Desktop]$ restorecon -v ~/.icedteaplugin [kwade@calliope Desktop]$ matchpathcon ~/.icedteaplugin/ /home/kwade/.icedteaplugin/ system_u:object_r:user_home_t:s0 [kwade@calliope Desktop]$ sudo restorecon -v ~/.icedteaplugin [kwade@calliope Desktop]$ matchpathcon ~/.icedteaplugin/ /home/kwade/.icedteaplugin/ system_u:object_r:user_home_t:s0 [kwade@calliope Desktop]$ ls -Z ~/.icedteaplugin/ prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 icedtea-appletviewer-to-plugin prwx------ kwade kwade unconfined_u:object_r:user_home_t:s0 icedtea-plugin-to-appletviewer So ... I can chcon manually, but something must be wrong that I'm not seeing. When I installed this new policy, I ran restorecon on /. I received a large number of avc denials (437) with a summary of: SELinux is preventing restorecon (setfiles_t) "net_admin" setfiles_t. Should I flip the bit to relabel the file system then reboot?
I am not sure you have the policy fully updated, could you try to reinstall the package and see if anything goes wrong? # grep icedtea /etc/selinux/targeted/contexts/files/* /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/[^/]*/\.icedteaplugin(/.*)? system_u:object_r:nsplugin_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/pwalsh/[^/]*/\.icedteaplugin(/.*)? system_u:object_r:nsplugin_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/usr/lib/oracle/[^/]*/\.icedteaplugin(/.*)? system_u:object_r:nsplugin_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/dwalsh/\.icedteaplugin(/.*)? system_u:object_r:nsplugin_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/root/\.icedteaplugin(/.*)? system_u:object_r:nsplugin_home_t:s0
I ran 'yum reinstall selinux-policy'; I had the package from testing and this got it from updates. Nothing is different with the policy after the reinstall. * A search as in comment #5 turns up no result * 'matchpathcon' still says user_home_t I pulled down a copy of the RPM for review and it is a bit strange. There are no contents in the included /etc directory (0 bytes), while the /usr has 6.3 MiB. http://mirrors.kernel.org/fedora/updates/10/i386/selinux-policy-3.5.13-26.fc10.noarch.rpm I'll attach separately a run of 'rpm -qlp' on that package, you can see /etc/selinux/targeted tree is not there. I see the same thing in packages from other mirrors.
Created attachment 325628 [details] Output of 'rpm -qlp selinux-policy-3.5.13-26.fc10.noarch.rpm'
Feeling a mixture of stupid and confused. The solution is here in the bug -- I was only updating 'selinux-policy' and hadn't yet updated 'selinux-policy-targeted'. The confusion is, why didn't that get grabbed when I did 'yum --enablerepo=updates-testing selinux-policy'? I happened to run a full system update tonight and saw that 'selinux-policy-targeted' was set to update. It hit me immediately and I ran matchpathcon before and after the update, then restorecon: [kwade@calliope ~]$ matchpathcon /home/kwade/.icedteaplugin/ /home/kwade/.icedteaplugin/ system_u:object_r:user_home_t:s0 [kwade@calliope ~]$ matchpathcon /home/kwade/.icedteaplugin/ /home/kwade/.icedteaplugin/ system_u:object_r:nsplugin_home_t:s0 [kwade@calliope ~]$ restorecon -R -v ~/.icedteaplugin/ restorecon reset /home/kwade/.icedteaplugin context unconfined_u:object_r:user_home_t:s0->system_u:object_r:nsplugin_home_t:s0 restorecon reset /home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer context unconfined_u:object_r:user_home_t:s0->system_u:object_r:nsplugin_home_t:s0 restorecon reset /home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin context unconfined_u:object_r:user_home_t:s0->system_u:object_r:nsplugin_home_t:s0 Tested with a plugin in Firefox, no AVC denials. All is victory! Problem here solved, closing the bug, thanks. Still, isn't it strange that I could have a different 'selinux-policy' package than the actual policy package? Not that they couldn't interoperate, just that it was possible them to be different by version without a dependency error? Even the yum reinstall didn't catch the mismatch of versions between the two packages.
Not sure if I should reopen this bug or start a new one, but ... I just restarted Firefox with multiple tabs and received 40+ errors, this time with an apparently correct target context! I was certain it was working before, but probably not. Running restorecon right now does not relabel. [kwade@calliope .icedteaplugin]$ restorecon -Rv * [kwade@calliope .icedteaplugin]$ ls -Z prwx------ kwade kwade unconfined_u:object_r:nsplugin_home_t:s0 icedtea-appletviewer-to-plugin prwx------ kwade kwade unconfined_u:object_r:nsplugin_home_t:s0 icedtea-plugin-to-appletviewer Summary: SELinux is preventing the npviewer.bin from using potentially mislabeled files (/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). Detailed Description: SELinux has denied npviewer.bin access to potentially mislabeled file(s) (/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that SELinux will not allow npviewer.bin to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want npviewer.bin to access this files, you need to relabel them using restorecon -v '/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer'. You might want to relabel the entire directory using restorecon -R -v '<Unknown>'. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0 Target Context unconfined_u:object_r:nsplugin_home_t:s0 Target Objects /home/kwade/.icedteaplugin/icedtea-plugin-to- appletviewer [ fifo_file ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host calliope.phig.org Source RPM Packages nspluginwrapper-1.1.2-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-26.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name calliope.phig.org Platform Linux calliope.phig.org 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 42 First Seen Thu 04 Dec 2008 04:35:11 PM PST Last Seen Thu 04 Dec 2008 04:44:19 PM PST Local ID df0a41c0-a163-44e7-adea-b7bd67ad5463 Line Numbers Raw Audit Messages node=calliope.phig.org type=AVC msg=audit(1228437859.826:3337): avc: denied { write } for pid=10110 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-4 ino=7094340 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:nsplugin_home_t:s0 tclass=fifo_file node=calliope.phig.org type=AVC msg=audit(1228437859.826:3337): avc: denied { read } for pid=10110 comm="npviewer.bin" path="/home/kwade/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-4 ino=7094326 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=unconfined_u:object_r:nsplugin_home_t:s0 tclass=fifo_file node=calliope.phig.org type=SYSCALL msg=audit(1228437859.826:3337): arch=40000003 syscall=11 success=yes exit=0 a0=8da6450 a1=8da6a60 a2=8da65b8 a3=0 items=0 ppid=8851 pid=10110 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null)
Ok Adding the ability for nsplugin to manage fifo and sock files in the nsplugin_home_t. Fixed in selinux-policy-3.5.13-33.fc10.src.rpm