Summary: SELinux is preventing access to files with the label, file_t. Detailed Description: SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a new disk drive to the system you can relabel it using the restorecon command. Otherwise you should relabel the entire files system. Allowing Access: You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0 Target Context system_u:object_r:file_t:s0 Target Objects / [ dir ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host localhost.localdomain Source RPM Packages nspluginwrapper-1.1.10-1.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 1495 First Seen Tue 17 Feb 2009 02:27:29 PM CET Last Seen Tue 17 Feb 2009 03:00:13 PM CET Local ID cf9ea32c-7fc0-407c-8823-fcf5d901ecd1 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1234879213.354:8589): avc: denied { search } for pid=4480 comm="npviewer.bin" name="/" dev=dm-0 ino=2 scontext=unconfined_u:unconfined_r:nsplugin_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1234879213.354:8589): arch=40000003 syscall=5 per=8 success=no exit=-13 a0=8673a00 a1=0 a2=1b6 a3=0 items=0 ppid=4085 pid=4480 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0 key=(null) ------------------------------------------------ [/home/opalka][/home/opalka]>ls -lZ /usr/lib/nspluginwrapper/ drwxr-xr-x root root system_u:object_r:lib_t:s0 . drwxr-xr-x root root system_u:object_r:lib_t:s0 .. -rwxr-xr-x root root system_u:object_r:bin_t:s0 npconfig -rwxr-xr-x root root system_u:object_r:lib_t:s0 npplayer -rwxr-xr-x root root system_u:object_r:bin_t:s0 npviewer -rwxr-xr-x root root system_u:object_r:nsplugin_exec_t:s0 npviewer.bin -rwxr-xr-x root root system_u:object_r:lib_t:s0 npwrapper.so -rwxr-xr-x root root system_u:object_r:lib_t:s0 nspluginplayer -rwsr-xr-x root root system_u:object_r:nsplugin_config_exec_t:s0 plugin-config [/home/opalka][/home/opalka]>ls -lZ /usr/lib/mozilla/plugins drwxr-xr-x root root system_u:object_r:lib_t:s0 . drwxr-xr-x root root system_u:object_r:lib_t:s0 .. lrwxrwxrwx root root unconfined_u:object_r:lib_t:s0 libflashplayer.so [/home/opalka][/home/opalka]>
[/home/opalka][/home/opalka]>ls -lZ /usr/lib64/nspluginwrapper/ drwxr-xr-x root root system_u:object_r:lib_t:s0 . drwxr-xr-x root root system_u:object_r:lib_t:s0 .. -rwxr-xr-x root root system_u:object_r:lib_t:s0 libnoxshm.so -rwxr-xr-x root root system_u:object_r:lib_t:s0 libxpcom.so -rwxr-xr-x root root system_u:object_r:bin_t:s0 npconfig -rwxr-xr-x root root system_u:object_r:lib_t:s0 npplayer -rwxr-xr-x root root system_u:object_r:bin_t:s0 npviewer -rwxr-xr-x root root system_u:object_r:nsplugin_exec_t:s0 npviewer.bin -rwxr-xr-x root root system_u:object_r:lib_t:s0 npviewer.sh -rwxr-xr-x root root system_u:object_r:lib_t:s0 npwrapper.so -rwxr-xr-x root root system_u:object_r:lib_t:s0 nspluginplayer -rwsr-xr-x root root system_u:object_r:nsplugin_config_exec_t:s0 plugin-config [/home/opalka][/home/opalka]>
Richard is my colleague next table, and I have checked that his computer that it looks like it is setting all right. After rather large change to the partitions etc. (encrypting /home) we had to do 'touch /.autorelabel;reboot' anyway, all files in /usr/lib*/nspluginwrapper seems to be labelled correctly, and yet this AVC denials happens whenever he opens new URL.
I would bet there is a file in /tmp labeled file_t. find / -context "*:file_t:*"
OK, you are partially right -- it wasn't in /tmp, but it was misconfiguration -- /home and /home/lost+found were unlablled.