Red Hat Bugzilla – Bug 496243
SELinux is preventing the evince from using potentially mislabeled files (.recently-used.xbel).
Last modified: 2009-04-18 04:20:24 EDT
Summary: SELinux is preventing the evince from using potentially mislabeled files (.recently-used.xbel). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied evince access to potentially mislabeled file(s) (.recently-used.xbel). This means that SELinux will not allow evince to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want evince to access this files, you need to relabel them using restorecon -v '.recently-used.xbel'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects .recently-used.xbel [ file ] Source evince Source Path /usr/bin/evince Port <Unknown> Host localhost.localdomain Source RPM Packages evince-2.26.1-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-4.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Fri 17 Apr 2009 03:56:14 PM CEST Last Seen Fri 17 Apr 2009 03:56:14 PM CEST Local ID 111f82c5-849c-41c7-8253-6ddc8f5809f6 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1239976574.565:68): avc: denied { unlink } for pid=3627 comm="evince" name=".recently-used.xbel" dev=dm-1 ino=386018 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1239976574.565:68): arch=c000003e syscall=82 success=yes exit=0 a0=c7b250 a1=9950c0 a2=bc2b90 a3=1 items=0 ppid=3626 pid=3627 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="evince" exe="/usr/bin/evince" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
If you want to use nsplugin you can not use mozplugger with the evince/ooffice plugin. Or you can turn off the nsplugin transition setsebool -P allow_unconfined_nsplugin_transition 1
Ah, sorry about that. I didn't realize mozplugger was the culprit.