749780 – SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so.

Bug 749780 - SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so.

Summary: SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from 'execmod' ac...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:f0c0682990d...
Depends On:
Blocks:	494832
TreeView+	depends on / blocked

Reported:	2011-10-28 10:45 UTC by Patrick C. F. Ernzer
Modified:	2011-12-04 02:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.9.16-48.fc15
Clone Of:
Environment:
Last Closed:	2011-12-04 02:38:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Patrick C. F. Ernzer 2011-10-28 10:45:40 UTC

SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow npviewer.bin to have execmod access on the libflashplayer.so file
Then you need to change the label on '/usr/lib/flash-plugin/libflashplayer.so'
Do
# semanage fcontext -a -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so'
# restorecon -v '/usr/lib/flash-plugin/libflashplayer.so'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that npviewer.bin should be allowed execmod access on the libflashplayer.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep npviewer.bin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:sandbox_web_client_t:s0:
                              c599,c771
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/flash-plugin/libflashplayer.so [ file ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nspluginwrapper-1.4.4-1.fc15
Target RPM Packages           flash-plugin-11.0.1.152-release
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.40.6-0.fc15.x86_64 #1 SMP Tue Oct 4 00:39:50
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 26 Oct 2011 21:35:19 EEST
Last Seen                     Wed 26 Oct 2011 21:35:19 EEST
Local ID                      eaed1ace-ccbf-4655-92c3-a33862f0806b

Raw Audit Messages
type=AVC msg=audit(1319654119.891:1067): avc:  denied  { execmod } for  pid=5433 comm="npviewer.bin" path="/usr/lib/flash-plugin/libflashplayer.so" dev=dm-1 ino=37813 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c599,c771 tcontext=system_u:object_r:lib_t:s0 tclass=file


type=SYSCALL msg=audit(1319654119.891:1067): arch=i386 syscall=capget per=8 success=no exit=EACCES a0=8c1000 a1=fc7000 a2=5 a3=ff899070 items=0 ppid=5349 pid=5433 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=npviewer.bin exe=/usr/lib/nspluginwrapper/npviewer.bin subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c599,c771 key=(null)

Hash: npviewer.bin,sandbox_web_client_t,lib_t,file,execmod

audit2allow

#============= sandbox_web_client_t ==============
allow sandbox_web_client_t lib_t:file execmod;

audit2allow -R

#============= sandbox_web_client_t ==============
allow sandbox_web_client_t lib_t:file execmod;


Flash applets are a good thing to run in a sandbox.
Can we please enable this access by default? Or is there a risk this access would surprise the user by not containing the flash as tightly as expected?

Comment 1 Daniel Walsh 2011-10-28 14:01:50 UTC

The alert tells you what to do.# restorecon -v '/usr/lib/flash-plugin/libflashplayer.so'

Comment 2 Patrick C. F. Ernzer 2011-11-01 14:27:26 UTC

sorry, no;
[root@machine ~]# ls -lZ /usr/lib/flash-plugin/libflashplayer.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib/flash-plugin/libflashplayer.so
[root@machine ~]# restorecon -v /usr/lib/flash-plugin/libflashplayer.so
[root@machine ~]# ls -lZ /usr/lib/flash-plugin/libflashplayer.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib/flash-plugin/libflashplayer.so


[pcfe@machine ~]$ sandbox -t sandbox_web_t -i /home/pcfe/.mozilla/firefox/2t6fot86.for_sandbox -w 1600x1118 -W metacity -X firefox  http://www.youtube.com

then get to any video (and do not long in so you do not potentially end up in the html5 view)

type=AVC msg=audit(1320157342.486:3805): avc:  denied  { execmod } for  pid=23869 comm="npviewer.bin" path="/usr/lib/flash-plugin/libflashplayer.so" dev=dm-1 ino=37813 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c667,c725 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1320157342.486:3805): arch=40000003 syscall=125 per=8 success=no exit=-13 a0=d23000 a1=fc7000 a2=5 a3=fff37680 items=0 ppid=23787 pid=23869 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c667,c725 key=(null)



Note, this is only a problem in the sandbox. In non-sandboxed Firefox, the plugin works fine.

Comment 3 Miroslav Grepl 2011-11-02 13:40:53 UTC

chcon -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so'

Comment 4 Patrick C. F. Ernzer 2011-11-04 14:36:58 UTC

Yupp, that works. Both with and without sandbox.
Thanks.

Should this be adjusted in the default policy (presuming it is not already) or should I try and open a bug with Adobe?

Comment 5 Daniel Walsh 2011-11-04 17:53:59 UTC

Yes we bring this label back everyother adobe release...

Comment 6 Fedora Update System 2011-11-16 16:19:44 UTC

selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Comment 7 Fedora Update System 2011-11-17 23:38:12 UTC

Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2011-12-04 02:38:09 UTC

selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.