Bug 691467 - SELinux is preventing /sbin/consoletype from 'write' accesses on the file /home/john/.mozilla/firefox/lybrs0rk.default/.parentlock.
Summary: SELinux is preventing /sbin/consoletype from 'write' accesses on the file /ho...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8d693db5487...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-28 16:02 UTC by John
Modified: 2011-04-17 09:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-17 09:06:24 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description John 2011-03-28 16:02:44 UTC 
SELinux is preventing /sbin/consoletype from 'write' accesses on the file /home/(removed)/.mozilla/firefox/lybrs0rk.default/.parentlock.

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore consoletype trying to write access the .parentlock file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that consoletype should be allowed write access on the .parentlock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:consoletype_t:s0
Target Context                unconfined_u:object_r:mozilla_home_t:s0
Target Objects                /home/(removed)/.mozilla/firefox/lybrs0rk.default/.pare
                              ntlock [ file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           initscripts-9.20.2-1.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.i686 #1 SMP Mon Feb 7
                              07:04:18 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Mon 28 Mar 2011 04:54:58 PM BST
Last Seen                     Mon 28 Mar 2011 04:54:59 PM BST
Local ID                      1bb469ba-5a55-4955-872c-cade33eff0f4

Raw Audit Messages
type=AVC msg=audit(1301327699.137:28249): avc:  denied  { write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/.parentlock" dev=dm-2 ino=1573288 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read } for  pid=3254 comm="consoletype" path="/dev/urandom" dev=devtmpfs ino=4037 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/XUL.mfasl" dev=dm-2 ino=1573364 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="socket:[358983]" dev=sockfs ino=358983 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_MAP_" dev=dm-2 ino=1575073 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_001_" dev=dm-2 ino=1575094 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_002_" dev=dm-2 ino=1575097 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read write } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/Cache/_CACHE_003_" dev=dm-2 ino=1575100 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=AVC msg=audit(1301327699.137:28249): avc:  denied  { read } for  pid=3254 comm="consoletype" path="/home/(removed)/.mozilla/firefox/lybrs0rk.default/XPC.mfasl" dev=dm-2 ino=1573291 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file


type=SYSCALL msg=audit(1301327699.137:28249): arch=i386 syscall=execve success=yes exit=0 a0=950a4d0 a1=950af00 a2=950af90 a3=950af00 items=0 ppid=3253 pid=3254 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=consoletype exe=/sbin/consoletype subj=unconfined_u:system_r:consoletype_t:s0 key=(null)

Hash: consoletype,consoletype_t,mozilla_home_t,file,write

audit2allow

#============= consoletype_t ==============
allow consoletype_t mozilla_home_t:file { write read };
allow consoletype_t unconfined_t:tcp_socket { read write };
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow consoletype_t urandom_device_t:chr_file read;

audit2allow -R

#============= consoletype_t ==============
allow consoletype_t mozilla_home_t:file { write read };
allow consoletype_t unconfined_t:tcp_socket { read write };
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow consoletype_t urandom_device_t:chr_file read;
Comment 1 Miroslav Grepl 2011-03-29 11:44:33 UTC 
What tool were you using when this happened?
Note You need to log in before you can comment on or make changes to this bug.