Bug 785186 - AVC from npviewer.bin - watching flash on hulu.com
AVC from npviewer.bin - watching flash on hulu.com
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2012-01-27 10:08 EST by Tom London
Modified: 2013-08-29 10:31 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-29 10:31:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom London 2012-01-27 10:08:58 EST
Description of problem:
I get this AVC from npviewer.bin when I watch some clips on hulu.com.

SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin from execstack access on the None .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that npviewer.bin should be allowed execstack access on the  <Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep npviewer.bin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023
Target Context                staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023
Target Objects                 [ None ]
Source                        npviewer.bin
Source Path                   /usr/lib64/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          tlondon.localhost.org
Source RPM Packages           nspluginwrapper-1.4.4-2.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-80.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tlondon.localhost.org
Platform                      Linux tlondon.localhost.org
                              3.3.0-0.rc1.git3.1.fc17.x86_64 #1 SMP Thu Jan 26
                              01:48:20 UTC 2012 x86_64 x86_64
Alert Count                   5
First Seen                    Thu 26 Jan 2012 06:46:24 AM PST
Last Seen                     Fri 27 Jan 2012 07:02:16 AM PST
Local ID                      85b61157-196d-4386-b56d-a67d3aee9a67

Raw Audit Messages
type=AVC msg=audit(1327676536.378:65): avc:  denied  { execstack } for  pid=1671 comm="npviewer.bin" scontext=staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=processnode=tlondon.localhost.org type=SYSCALL msg=audit(1327676536.378:65): arch=c000003e syscall=10 success=no exit=-13 a0=7fff5a9bb000 a1=1000 a2=1000007 a3=3b70820000 items=0 ppid=1589 pid=1671 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="npviewer.bin" exe="/usr/lib64/nspluginwrapper/npviewer.bin" subj=staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: npviewer.bin,mozilla_plugin_t,mozilla_plugin_t,None,execstack


audit2allow -R

Version-Release number of selected component (if applicable):

How reproducible:
Every time.... May have to watch several clips.

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Fedora End Of Life 2013-04-03 13:43:11 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
Comment 2 Martin Stransky 2013-08-29 09:28:50 EDT
No sure we want to allow flash the execstack...but that's a question for selinux folks.
Comment 3 Daniel Walsh 2013-08-29 10:31:39 EDT
We now give this access by default.

Note You need to log in before you can comment on or make changes to this bug.