Summary: SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config "write" access on /usr/lib64/mozilla/plugins-wrapped. Detailed Description: SELinux denied access requested by plugin-config. It is not expected that this access is required by plugin-config and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:sandbox_web_client_t:s0: c477,c827 Target Context system_u:object_r:nsplugin_rw_t:s0 Target Objects /usr/lib64/mozilla/plugins-wrapped [ dir ] Source plugin-config Source Path /usr/lib64/nspluginwrapper/plugin-config Port <Unknown> Host (removed) Source RPM Packages nspluginwrapper-1.3.0-11.fc13 Target RPM Packages nspluginwrapper-1.3.0-11.fc13 Policy RPM selinux-policy-3.7.19-21.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux baby 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Alert Count 6 First Seen Tue 08 Jun 2010 02:18:55 PM CDT Last Seen Tue 08 Jun 2010 02:18:55 PM CDT Local ID 3d24a606-0891-4938-9d15-d0261b1baa6a Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1276024735.913:61): avc: denied { write } for pid=13112 comm="plugin-config" name="plugins-wrapped" dev=sda2 ino=1201472 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c477,c827 tcontext=system_u:object_r:nsplugin_rw_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1276024735.913:61): arch=c000003e syscall=87 success=no exit=-13 a0=7fffdd69f66c a1=7fffdd69f66c a2=7fffdd69b20f a3=1 items=0 ppid=13110 pid=13112 auid=5160 uid=5160 gid=5161 euid=0 suid=0 fsuid=0 egid=5161 sgid=5161 fsgid=5161 tty=(none) ses=1 comm="plugin-config" exe="/usr/lib64/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c477,c827 key=(null) Hash String generated from catchall,plugin-config,sandbox_web_client_t,nsplugin_rw_t,dir,write audit2allow suggests: #============= sandbox_web_client_t ============== #!!!! The source type 'sandbox_web_client_t' can write to a 'dir' of the following types: # sandbox_web_client_tmpfs_t, sandbox_web_file_t, tmpfs_t allow sandbox_web_client_t nsplugin_rw_t:dir write;
Happens when I execute "sandbox -X -t sandbox_web_t firefox"
Miroslav can you add nsplugin_manage_rw(sandbox_web_type)
Fixed in selinux-policy-3.7.19-26.fc13
selinux-policy-3.7.19-28.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13
selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13
Verified.
selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.