Bug 728533 - SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from 'use' accesses on the fd /dev/pts/0.
Summary: SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from 'use' acces...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: i686
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:881da3556b25649e109e3fe1bcb...
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-05 12:50 UTC by Mads Kiilerich
Modified: 2011-08-23 20:25 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-18.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-08-23 20:25:37 UTC

Attachments (Terms of Use)

Description Mads Kiilerich 2011-08-05 12:50:06 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.0.0-4.1.fc16.i686
reason:         SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from 'use' accesses on the fd /dev/pts/0.
time:           Fri Aug  5 14:49:53 2011

:SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from 'use' accesses on the fd /dev/pts/0.
:*****  Plugin catchall_boolean (80.5 confidence) suggests  *******************
:If you want to allow all domains to use other domains file descriptors
:Then you must tell SELinux about this by enabling the 'allow_domain_fd_use' boolean.
:setsebool -P allow_domain_fd_use 1
:*****  Plugin catchall (10.5 confidence) suggests  ***************************
:If you believe that plugin-config should be allowed use access on the 0 fd by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep plugin-config /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:*****  Plugin leaks (10.5 confidence) suggests  ******************************
:If you want to ignore plugin-config trying to use access the 0 fd, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:# grep /usr/lib/nspluginwrapper/plugin-config /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:
:                              c0.c1023
:Target Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
:Target Objects                /dev/pts/0 [ fd ]
:Source                        plugin-config
:Source Path                   /usr/lib/nspluginwrapper/plugin-config
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           nspluginwrapper-1.4.0-1.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-15.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.0.0-4.1.fc16.i686.PAE #1 SMP Thu Aug 4 19:22:07
:                              UTC 2011 i686 i686
:Alert Count                   1
:First Seen                    Fri 05 Aug 2011 02:42:05 PM CEST
:Last Seen                     Fri 05 Aug 2011 02:42:05 PM CEST
:Local ID                      e8aea11f-b3a1-4943-8e65-94f22f7c987c
:Raw Audit Messages
:type=AVC msg=audit(1312548125.906:56): avc:  denied  { use } for  pid=1363 comm="plugin-config" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=fd
:type=SYSCALL msg=audit(1312548125.906:56): arch=i386 syscall=execve success=yes exit=0 a0=8a60170 a1=8a5bc88 a2=8a5fa98 a3=8a5bc88 items=0 ppid=1361 pid=1363 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm=plugin-config exe=/usr/lib/nspluginwrapper/plugin-config subj=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 key=(null)
:Hash: plugin-config,nsplugin_config_t,sshd_t,fd,use
:#============= nsplugin_config_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_domain_fd_use'
:allow nsplugin_config_t sshd_t:fd use;
:audit2allow -R
:#============= nsplugin_config_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_domain_fd_use'
:allow nsplugin_config_t sshd_t:fd use;

Comment 1 Mads Kiilerich 2011-08-05 12:51:30 UTC
I ran firefox through ssh -X.

No "evil" plugins installed.

Comment 2 Daniel Walsh 2011-08-05 14:28:57 UTC
We should allow this, and Miroslav it is time to turn the allow_domain_fd_use boolean on for F16,  We can continue fixing these in F17.

Fixed in selinux-policy-3.10.0-16.fc16

Comment 3 Miroslav Grepl 2011-08-11 11:50:10 UTC
Turned on.

Comment 4 Fedora Update System 2011-08-11 20:34:43 UTC
selinux-policy-3.10.0-18.fc16 has been submitted as an update for Fedora 16.

Comment 5 Fedora Update System 2011-08-12 04:22:04 UTC
Package selinux-policy-3.10.0-18.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-18.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-08-23 20:24:53 UTC
selinux-policy-3.10.0-18.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.