Bug 523570 - setroubleshoot: SELinux is preventing the npviewer.bin from using potentially mislabeled files (root).
Summary: setroubleshoot: SELinux is preventing the npviewer.bin from using potent...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:de724864538...
: 523573 523578 523579 523580 523581 523582 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-16 01:45 UTC by kylin
Modified: 2009-11-06 23:21 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-16 12:28:16 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description kylin 2009-09-16 01:45:51 UTC 
The following was filed automatically by setroubleshoot:

概述:

SELinux is preventing the npviewer.bin from using potentially mislabeled files
(root).

详细描述:

SELinux has denied npviewer.bin access to potentially mislabeled file(s) (root).
This means that SELinux will not allow npviewer.bin to use these files. It is
common for users to edit files in their home directory or tmp directories and
then move (mv) them to system directories. The problem is that the files end up
with the wrong file context which confined applications are not allowed to
access.

允许访问:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v 'root'. You might want to relabel the entire directory using
restorecon -R -v 'root'.

附加信息:

源上下文                  unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
目标上下文               system_u:object_r:admin_home_t:s0
目标对象                  root [ dir ]
源                           npviewer.bin
源路径                     /usr/lib/nspluginwrapper/npviewer.bin
端口                        <未知>
主机                        (removed)
源 RPM 软件包             nspluginwrapper-1.3.0-8.fc12
目标 RPM 软件包          filesystem-2.4.27-1.fc12
策略 RPM                    selinux-policy-3.6.26-8.fc12
启用 Selinux                True
策略类型                  targeted
启用 MLS                    True
Enforcing 模式              Enforcing
插件名称                  home_tmp_bad_labels
主机名                     (removed)
平台                        Linux (removed)
                              2.6.31-0.125.4.2.rc5.git2.fc12.i686.PAE #1 SMP Tue
                              Aug 11 21:01:03 EDT 2009 i686 i686
警报计数                  1379
第一个                     2009年09月16日 星期三 08时35分39秒
最后一个                  2009年09月16日 星期三 09时43分46秒
本地 ID                     465a6fa5-f954-49c8-b86b-7af45b65e0a0
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1253065426.393:28489): avc:  denied  { search } for  pid=9847 comm="npviewer.bin" name="root" dev=sda7 ino=73586 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1253065426.393:28489): arch=40000003 syscall=292 success=no exit=-13 a0=a a1=8435a00 a2=1002fce a3=8435908 items=0 ppid=5724 pid=9847 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= nsplugin_t ==============
allow nsplugin_t admin_home_t:dir search;
Comment 1 Daniel Walsh 2009-09-16 12:28:16 UTC 
Some how you logged in as root and are running SELinux, this is not supported.  Logging in and runnin X Sessions as root is very dangerous.
Comment 2 Daniel Walsh 2009-09-16 12:28:47 UTC 
*** Bug 523573 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2009-09-16 12:36:16 UTC 
    Ok later you tell me you are doing a yum upgrade when this happens?  So that is
    why this stuff is running as root.


    Added dontaudits

    Fixed in selinux-policy-3.6.31-6.fc12.noarch
Comment 4 Daniel Walsh 2009-09-16 12:38:40 UTC 
*** Bug 523578 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2009-09-16 12:39:05 UTC 
*** Bug 523579 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2009-09-16 12:39:56 UTC 
*** Bug 523580 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Walsh 2009-09-16 12:40:21 UTC 
*** Bug 523581 has been marked as a duplicate of this bug. ***
Comment 8 Daniel Walsh 2009-09-16 12:40:43 UTC 
*** Bug 523582 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.