652901 – Konqueror AVCs denial as sandbox_web_t using the SELinux Sandbox.

Bug 652901 - Konqueror AVCs denial as sandbox_web_t using the SELinux Sandbox.

Summary: Konqueror AVCs denial as sandbox_web_t using the SELinux Sandbox.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-13 12:37 UTC by Carl G.
Modified:	2011-05-26 20:17 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-26 20:17:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carl G. 2010-11-13 12:37:39 UTC

Description of problem:

Konqueror currently SIGSEGV when trying to use Konqueror in a SELinux Sandbox.

selinux-policy-targeted-3.9.7-7.fc14.noarch

AVCs denial:
-------

% sudo tail -f /var/log/audit/audit.log | grep denied
[sudo] password for root: 
type=AVC msg=audit(1289651323.480:30783): avc:  denied  { read } for  pid=5753 comm="kio_http_cache_" name="http" dev=dm-1 ino=152058 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c135,c450 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1289651329.102:30784): avc:  denied  { unlink } for  pid=5753 comm="kio_http_cache_" name="f556d57b7399dc1ff449a6d559b294c6386e212d" dev=dm-1 ino=142067 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c135,c450 tcontext=staff_u:object_r:user_tmp_t:s0:c135,c450 tclass=file
type=AVC msg=audit(1289651635.146:30791): avc:  denied  { read write } for  pid=5859 comm="konqueror" name="icon-cache.kcache" dev=dm-1 ino=135904 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1289651635.146:30791): avc:  denied  { open } for  pid=5859 comm="konqueror" name="icon-cache.kcache" dev=dm-1 ino=135904 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1289651635.291:30792): avc:  denied  { connectto } for  pid=5873 comm="kded4" path=002F746D702F66616D2D6361726C2D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1289651635.304:30793): avc:  denied  { read } for  pid=5874 comm="kbuildsycoca4" name="ksycoca4" dev=dm-1 ino=156390 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c114,c991 tclass=file
type=AVC msg=audit(1289651635.305:30794): avc:  denied  { open } for  pid=5874 comm="kbuildsycoca4" name="ksycoca4" dev=dm-1 ino=156390 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c114,c991 tclass=file
type=AVC msg=audit(1289651635.411:30795): avc:  denied  { execute_no_trans } for  pid=5908 comm="sh" path="/usr/lib64/kconf_update_bin/plasma-to-plasma-desktop" dev=dm-1 ino=671573 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1289651636.994:30796): avc:  denied  { write } for  pid=6082 comm="kio_http" name="http" dev=dm-1 ino=152058 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1289651636.994:30796): avc:  denied  { add_name } for  pid=6082 comm="kio_http" name="f2686c83cb487a2814ce40ef6f818e031be58063.nn6082" scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1289651636.994:30796): avc:  denied  { create } for  pid=6082 comm="kio_http" name="f2686c83cb487a2814ce40ef6f818e031be58063.nn6082" scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c460,c691 tclass=file
type=AVC msg=audit(1289651636.994:30796): avc:  denied  { read write open } for  pid=6082 comm="kio_http" name="f2686c83cb487a2814ce40ef6f818e031be58063.nn6082" dev=dm-1 ino=131878 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c460,c691 tclass=file
type=AVC msg=audit(1289651637.061:30797): avc:  denied  { remove_name } for  pid=6082 comm="kio_http" name="f2686c83cb487a2814ce40ef6f818e031be58063.nn6082" dev=dm-1 ino=131878 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1289651637.061:30797): avc:  denied  { rename } for  pid=6082 comm="kio_http" name="f2686c83cb487a2814ce40ef6f818e031be58063.nn6082" dev=dm-1 ino=131878 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c460,c691 tclass=file
type=AVC msg=audit(1289651637.150:30798): avc:  denied  { read } for  pid=6082 comm="kio_http" name="01724794ecfb394e7941675483a6dc4dd86211a3" dev=dm-1 ino=136051 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c135,c450 tclass=file
type=AVC msg=audit(1289651637.150:30798): avc:  denied  { open } for  pid=6082 comm="kio_http" name="01724794ecfb394e7941675483a6dc4dd86211a3" dev=dm-1 ino=136051 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c135,c450 tclass=file
type=AVC msg=audit(1289651637.229:30799): avc:  denied  { write } for  pid=6087 comm="kio_http_cache_" name="01724794ecfb394e7941675483a6dc4dd86211a3" dev=dm-1 ino=136051 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0:c135,c450 tclass=file
type=AVC msg=audit(1289651637.229:30800): avc:  denied  { read } for  pid=6087 comm="kio_http_cache_" name="http" dev=dm-1 ino=152058 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1289651637.272:30801): avc:  denied  { unlink } for  pid=6087 comm="kio_http_cache_" name="30de6431ee684f6f3f04b2d3f639c92225d7ba40" dev=dm-1 ino=156223 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1289651637.815:30802): avc:  denied  { name_connect } for  pid=6092 comm="kio_http" dest=5000 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1289651650.916:30803): avc:  denied  { unlink } for  pid=6092 comm="kio_http" name="1713b471727ceb17cf418559aa750f4107f11eac" dev=dm-1 ino=132060 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1289651652.100:30804): avc:  denied  { read } for  pid=6085 comm="kio_http" name="39172552f6c65a554a37a1476b0bd2c4898ea7d4" dev=dm-1 ino=143196 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1289651652.100:30804): avc:  denied  { open } for  pid=6085 comm="kio_http" name="39172552f6c65a554a37a1476b0bd2c4898ea7d4" dev=dm-1 ino=143196 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1289651652.250:30805): avc:  denied  { write } for  pid=6087 comm="kio_http_cache_" name="39172552f6c65a554a37a1476b0bd2c4898ea7d4" dev=dm-1 ino=143196 scontext=staff_u:staff_r:sandbox_web_client_t:s0:c460,c691 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file

%sandbox -t sandbox_web_t -X konqueror

Comment 1 Daniel Walsh 2010-11-15 15:08:02 UTC

Are those files located in /var/tmp?

Note You need to log in before you can comment on or make changes to this bug.