Bug 521473 - setroubleshoot: SELinux is preventing prelink "read" access to /usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.nphelix.so.
Summary: setroubleshoot: SELinux is preventing prelink "read" access to /usr/lib/...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:37231f9d125...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-06 09:46 UTC by lizian
Modified: 2009-09-06 19:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-06 19:23:21 UTC


Attachments (Terms of Use)

Description lizian 2009-09-06 09:46:18 UTC
The following was filed automatically by setroubleshoot:

概述:

SELinux is preventing prelink "read" access to
/usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.nphelix.so.

详细描述:

[prelink has a permissive type (prelink_t). This access was not denied.]

SELinux denied prelink read on
/usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.nphelix.so. The prelink program
is only allowed to manipulate files that are identified as executables or shared
libraries by SELinux. Libraries that get placed in lib directories get labeled
by default as a shared library. Similarly, executables that get placed in a bin
or sbin directory get labeled as executables by SELinux. However, if these files
get installed in other directories they might not get the correct label. If
prelink is trying to manipulate a file that is not a binary or share library
this may indicate an intrusion attack.

允许访问:

You can alter the file context by executing "chcon -t bin_t
'/usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.nphelix.so'" or "chcon -t
lib_t '/usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.nphelix.so'" if it is a
shared library. If you want to make these changes permanent you must execute the
semanage command. "semanage fcontext -a -t bin_t
'/usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.nphelix.so'" or "semanage
fcontext -a -t lib_t
'/usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.nphelix.so'". If you feel this
executable/shared library is in the wrong location please file a bug against the
package that includes the file. If you feel that SELinux should know about this
file and label it correctly please file a bug against SELinux policy
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) .

附加信息:

源上下文                  system_u:system_r:prelink_t:s0-s0:c0.c1023
目标上下文               unconfined_u:object_r:nsplugin_rw_t:s0
目标对象                  /usr/lib/mozilla/plugins-
                              wrapped/nswrapper_32_32.nphelix.so [ file ]
源                           prelink
源路径                     /usr/sbin/prelink
端口                        <未知>
主机                        (removed)
源 RPM 软件包             prelink-0.4.2-2.fc12
目标 RPM 软件包          
策略 RPM                    selinux-policy-3.6.30-2.fc12
启用 Selinux                True
策略类型                  targeted
启用 MLS                    True
Enforcing 模式              Enforcing
插件名称                  prelink_mislabled
主机名                     (removed)
平台                        Linux (removed)
                              2.6.31-0.199.rc8.git2.fc12.i686.PAE #1 SMP Wed Sep
                              2 20:54:44 EDT 2009 i686 i686
警报计数                  2
第一个                     2009年09月06日 星期日 17时25分31秒
最后一个                  2009年09月06日 星期日 17时25分31秒
本地 ID                     f1b3ca62-e852-4b53-babe-64c0bf83ef9a
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1252229131.459:130): avc:  denied  { read } for  pid=16732 comm="prelink" name="nswrapper_32_32.nphelix.so" dev=sda9 ino=33925 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nsplugin_rw_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1252229131.459:130): avc:  denied  { open } for  pid=16732 comm="prelink" name="nswrapper_32_32.nphelix.so" dev=sda9 ino=33925 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nsplugin_rw_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1252229131.459:130): arch=40000003 syscall=5 success=yes exit=7 a0=89c8b68 a1=8000 a2=0 a3=89c8ba2 items=0 ppid=16726 pid=16732 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= prelink_t ==============
allow prelink_t nsplugin_rw_t:file { read open };

Comment 1 Daniel Walsh 2009-09-06 19:23:21 UTC
Fixed in selinux-policy-3.6.30-4.fc12.noarch


Note You need to log in before you can comment on or make changes to this bug.