SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from 'read, write' accesses on the chr_file card0. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow regular users direct dri device access Then you must tell SELinux about this by enabling the 'user_direct_dri' boolean. Do # setsebool -P user_direct_dri 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you want to allow npviewer.bin to have read write access on the card0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/lib/nspluginwrapper/npviewer.bin /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context system_u:object_r:dri_device_t:s0 Target Objects card0 [ chr_file ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host (removed) Source RPM Packages nspluginwrapper-1.3.0-14.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.8-4.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.36-1.fc15.i686.PAE #1 SMP Thu Oct 21 04:31:09 UTC 2010 i686 i686 Alert Count 1 First Seen Sun 14 Nov 2010 09:16:02 AM EST Last Seen Sun 14 Nov 2010 09:16:02 AM EST Local ID 8dc7be3a-fc1f-43c4-abde-a77e3471bcd7 Raw Audit Messages type=AVC msg=audit(1289744162.949:382): avc: denied { read write } for pid=2530 comm="npviewer.bin" name="card0" dev=devtmpfs ino=6426 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file npviewer.bin,nsplugin_t,dri_device_t,chr_file,read,write type=SYSCALL msg=audit(1289744162.949:382): arch=i386 syscall=open success=no exit=EACCES a0=998bee8 a1=2 a2=bfc68fa8 a3=3334080 items=0 ppid=2518 pid=2530 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=npviewer.bin exe=/usr/lib/nspluginwrapper/npviewer.bin subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) npviewer.bin,nsplugin_t,dri_device_t,chr_file,read,write #============= nsplugin_t ============== #!!!! This avc can be allowed using the boolean 'user_direct_dri' allow nsplugin_t dri_device_t:chr_file { read write };
What plugin were you using that caused this AVC? Flash? If so, does flash work?
Yes, using Flash, and it works. Not sure what's causing it, this is one of the many warnings I get at boot.
Turn on the boolean. # setsebool -P user_direct_dri 1 Did you read the analysis? Why did you think this needed to be reported as a bug?
Didn't understand the warning
ok