Bug 523575 - setroubleshoot: SELinux is preventing the npviewer.bin from using potentially mislabeled files (/root/.mozilla/firefox/4ctvyshh.default/.parentlock).
Summary: setroubleshoot: SELinux is preventing the npviewer.bin from using potent...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:1ea07b04ad8...
: 523576 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-16 01:53 UTC by kylin
Modified: 2009-09-16 12:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-16 12:37:33 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description kylin 2009-09-16 01:53:54 UTC 
The following was filed automatically by setroubleshoot:

概述:

SELinux is preventing the npviewer.bin from using potentially mislabeled files
(/root/.mozilla/firefox/4ctvyshh.default/.parentlock).

详细描述:

SELinux has denied npviewer.bin access to potentially mislabeled file(s)
(/root/.mozilla/firefox/4ctvyshh.default/.parentlock). This means that SELinux
will not allow npviewer.bin to use these files. It is common for users to edit
files in their home directory or tmp directories and then move (mv) them to
system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

允许访问:

If you want npviewer.bin to access this files, you need to relabel them using
restorecon -v '/root/.mozilla/firefox/4ctvyshh.default/.parentlock'. You might
want to relabel the entire directory using restorecon -R -v
'/root/.mozilla/firefox/4ctvyshh.default'.

附加信息:

源上下文                  unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
目标上下文               unconfined_u:object_r:admin_home_t:s0
目标对象                  /root/.mozilla/firefox/4ctvyshh.default/.parentloc
                              k [ file ]
源                           npviewer.bin
源路径                     /usr/lib/nspluginwrapper/npviewer.bin
端口                        <未知>
主机                        (removed)
源 RPM 软件包             nspluginwrapper-1.3.0-8.fc12
目标 RPM 软件包          
策略 RPM                    selinux-policy-3.6.26-8.fc12
启用 Selinux                True
策略类型                  targeted
启用 MLS                    True
Enforcing 模式              Enforcing
插件名称                  home_tmp_bad_labels
主机名                     (removed)
平台                        Linux (removed)
                              2.6.31-0.125.4.2.rc5.git2.fc12.i686.PAE #1 SMP Tue
                              Aug 11 21:01:03 EDT 2009 i686 i686
警报计数                  12
第一个                     2009年09月16日 星期三 09时36分15秒
最后一个                  2009年09月16日 星期三 09时37分53秒
本地 ID                     e10b2c13-712f-4e02-bf40-0693e8f91fe6
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1253065073.184:27873): avc:  denied  { write } for  pid=9837 comm="npviewer.bin" path="/root/.mozilla/firefox/4ctvyshh.default/.parentlock" dev=sda7 ino=110484 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1253065073.184:27873): avc:  denied  { read } for  pid=9837 comm="npviewer.bin" path="/root/.mozilla/firefox/4ctvyshh.default/XUL.mfasl" dev=sda7 ino=110498 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1253065073.184:27873): avc:  denied  { read write } for  pid=9837 comm="npviewer.bin" path="/root/.mozilla/firefox/4ctvyshh.default/Cache/_CACHE_MAP_" dev=sda7 ino=111510 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1253065073.184:27873): avc:  denied  { read write } for  pid=9837 comm="npviewer.bin" path="/root/.mozilla/firefox/4ctvyshh.default/Cache/_CACHE_001_" dev=sda7 ino=111511 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1253065073.184:27873): avc:  denied  { read write } for  pid=9837 comm="npviewer.bin" path="/root/.mozilla/firefox/4ctvyshh.default/Cache/_CACHE_002_" dev=sda7 ino=111512 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1253065073.184:27873): avc:  denied  { read write } for  pid=9837 comm="npviewer.bin" path="/root/.mozilla/firefox/4ctvyshh.default/Cache/_CACHE_003_" dev=sda7 ino=111513 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1253065073.184:27873): arch=40000003 syscall=11 success=yes exit=0 a0=9f62b28 a1=9f694a8 a2=9f6b1e8 a3=9f694a8 items=0 ppid=5724 pid=9837 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= nsplugin_t ==============
allow nsplugin_t admin_home_t:file { write read };
Comment 1 Daniel Walsh 2009-09-16 12:37:33 UTC 
You ran mozilla as root and it created this directory tree which nsplugin is now trying to interact with.  It is a horrible idea to run firefox as root.

rm -rf /root/.mozilla

Will eliminate this AVC.
Comment 2 Daniel Walsh 2009-09-16 12:37:58 UTC 
*** Bug 523576 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.