Bug 615660 - SELinux está negando a /usr/lib/nspluginwrapper/npviewer.bin el acceso "read write" on /dev/dri/card0
SELinux está negando a /usr/lib/nspluginwrapper/npviewer.bin el acceso "read ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
14
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:3ce408c5103...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-17 16:12 EDT by Francisco Hauva
Modified: 2010-10-29 07:42 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.9.3-4.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-23 08:44:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Francisco Hauva 2010-07-17 16:12:51 EDT
Resúmen:

SELinux está negando a /usr/lib/nspluginwrapper/npviewer.bin el acceso "read
write" on /dev/dri/card0

Descripción Detallada:

[SELinux esta en modo permisivo. Este acceso no fue denegado.]

SELinux negó el acceso requerido por npviewer.bin. No se esperaba que este
acceso fuera requerido por npviewer.bin, y puede ser indicio de un intento de
ataque. También es posible que la versión específica o la configuración de
la aplicación esté provocando esta necesidad de acceso adicional

Permitiendo Acceso:

Puede generar un módulo de política local para permitir este acceso. Vea FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Por favor, informe
este error.

Información Adicional:

Contexto Fuente               unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Contexto Destino              system_u:object_r:dri_device_t:s0
Objetos Destino               /dev/dri/card0 [ chr_file ]
Fuente                        npviewer.bin
Dirección de Fuente          /usr/lib/nspluginwrapper/npviewer.bin
Puerto                        <Desconocido>
Nombre de Equipo              (eliminado)
Paquetes RPM Fuentes          nspluginwrapper-1.3.0-14.fc14
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.8.6-3.fc14
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Permissive
Nombre de Plugin              catchall
Nombre de Equipo              (eliminado)
Plataforma                    Linux dell-fhg 2.6.35-0.36.rc4.git5.fc14.x86_64 #1
                              SMP Tue Jul 13 05:25:30 UTC 2010 x86_64 x86_64
Cantidad de Alertas           9
Visto por Primera Vez         vie 16 jul 2010 18:26:21 CST
Visto por Última Vez         vie 16 jul 2010 21:37:48 CST
ID Local                      2273ffa2-ad4e-440a-952e-ae38e99ea84a
Números de Línea            

Mensajes de Auditoría Crudos 

node=dell-fhg type=AVC msg=audit(1279337868.396:700): avc:  denied  { read write } for  pid=18448 comm="npviewer.bin" path="/dev/dri/card0" dev=devtmpfs ino=6354 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file

node=dell-fhg type=SYSCALL msg=audit(1279337868.396:700): arch=40000003 syscall=54 per=8 success=yes exit=0 a0=11 a1=c0086457 a2=ffc5f128 a3=ffc5f128 items=0 ppid=18330 pid=18448 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,npviewer.bin,nsplugin_t,dri_device_t,chr_file,read,write
audit2allow suggests:

#============= nsplugin_t ==============
allow nsplugin_t dri_device_t:chr_file { read write };
Comment 1 Daniel Walsh 2010-07-19 11:19:02 EDT

*** This bug has been marked as a duplicate of bug 615659 ***
Comment 2 Daniel Walsh 2010-07-19 11:21:08 EDT
What plugin were you using that caused this AVC?
Comment 3 Francisco Hauva 2010-07-19 23:12:56 EDT
flash-plugin-10.1.53.64-release.i386
Comment 4 Daniel Walsh 2010-07-20 09:40:43 EDT
If you try this in enforcing mode, does flash work?
Comment 5 Daniel Walsh 2010-07-29 12:35:23 EDT
Are you still seeing this problem?
Comment 6 Bug Zapper 2010-07-30 08:38:50 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Jeff Layton 2010-09-01 08:45:18 EDT
I'm still seeing this. To reproduce, use the proprietary adobe flash plugin. Go to a flash video site (e.g. youtube) and play a video there. Click the little button to make it fullscreen. The video will still play, but it'll be very choppy and I get this AVC denial. When I set selinux to permissive mode, the video plays normally in fullscreen mode.
Comment 8 Jeff Layton 2010-09-01 08:46:05 EDT
FWIW, I'm running f14 fully patched as of this morning. Let me know if you need other info.
Comment 9 Daniel Walsh 2010-09-01 09:57:09 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.9.1-3.fc14
Comment 10 Fedora Update System 2010-09-10 12:49:37 EDT
selinux-policy-3.9.3-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-4.fc14
Comment 11 Fedora Update System 2010-09-10 22:17:31 EDT
selinux-policy-3.9.3-4.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-4.fc14
Comment 12 Fedora Update System 2010-09-23 08:41:20 EDT
selinux-policy-3.9.3-4.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.