Bug 495990 - SELinux is preventing the npviewer.bin from using potentially mislabeled files (swfdec-mozilla.
SELinux is preventing the npviewer.bin from using potentially mislabeled file...
Product: Fedora
Classification: Fedora
Component: nspluginwrapper (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Martin Stransky
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2009-04-15 16:57 EDT by Matěj Cepl
Modified: 2010-03-09 09:25 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-09 09:25:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2009-04-15 16:57:09 EDT

SELinux is preventing the npviewer.bin from using potentially mislabeled files

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(swfdec-mozilla.conf). This means that SELinux will not allow npviewer.bin to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Povolení přístupu:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v 'swfdec-mozilla.conf'. You might want to relabel the entire
directory using restorecon -R -v ''.

Další informace:

Kontext zdroje                staff_u:staff_r:nsplugin_t:s0-s0:c0.c1023
Kontext cíle                 staff_u:object_r:user_home_t:s0
Objekty cíle                 swfdec-mozilla.conf [ file ]
Zdroj                         npviewer.bin
Cesta zdroje                  /usr/lib64/nspluginwrapper/npviewer.bin
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          nspluginwrapper-1.3.0-5.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-2.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     home_tmp_bad_labels
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz #1
                              SMP Tue Apr 7 05:26:42 EDT 2009 x86_64 x86_64
Počet upozornění           5
Poprvé viděno               St 15. duben 2009, 13:01:20 CEST
Naposledy viděno             St 15. duben 2009, 13:29:31 CEST
Místní ID                   197a7c07-9d8a-4b59-ad70-1a97e36058e6
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1239794971.163:319): avc:  denied  { unlink } for  pid=13465 comm="npviewer.bin" name="swfdec-mozilla.conf" dev=dm-6 ino=6635881 scontext=staff_u:staff_r:nsplugin_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1239794971.163:319): arch=c000003e syscall=82 success=yes exit=0 a0=164b440 a1=1638130 a2=16430b0 a3=1 items=0 ppid=13436 pid=13465 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib64/nspluginwrapper/npviewer.bin" subj=staff_u:staff_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Comment 1 Matěj Cepl 2009-05-12 02:16:48 EDT
Hesitantly self-ASSIGNing.

Switching to ASSIGNED so that developers have responsibility to do whatever they want to do with it.
Comment 2 Daniel Walsh 2009-05-12 08:34:29 EDT
I believe this is a mislabeled file in the home dir.  Where is swfdec-mozilla.conf located?
Comment 3 Matěj Cepl 2009-05-12 08:35:27 EDT
Comment 4 Matěj Cepl 2009-05-12 08:38:48 EDT
And you are probably right:

matej@viklef ~]$ restorecon -v $(locate *swfdec*.conf)
restorecon reset /home/matej/.config/swfdec-mozilla.conf context staff_u:object_r:user_home_t:s0->staff_u:object_r:gnome_home_t:s0
[matej@viklef ~]$ 

How is the relabelling of file whose default labels changed in
/etc/selinux/targeted/contexts/files/* provided? Does %post (or some other script) in selinux-policy* runs restorecon?
Comment 5 Daniel Walsh 2009-05-12 08:47:59 EDT
I am working on a solution for this.  The problem is we do not know what app creates any of these directories so they can be mislabeles.  I am building a dbus service restorecond that will watch your homedir and basically run restorecon on any file or directory created at the top level.  WHich should fix a lot of the labeling problems in the homedir.
Comment 6 Bug Zapper 2009-06-09 09:52:50 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
Comment 7 Thomas Kowaliczek 2010-03-07 15:11:09 EST
Any new infos about this bug? Is this bug in F12?
Comment 8 Thomas Kowaliczek 2010-03-07 17:11:07 EST
It´s an selinux/nsviewer problem.
Comment 9 Daniel Walsh 2010-03-09 09:25:17 EST
Fixed in F12

Note You need to log in before you can comment on or make changes to this bug.