Bug 806694 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'write' accesses on the directory at-spi2.
Summary: SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'write' ac...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5d0f2f9f88cc0a037d97771b5e3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-26 02:32 UTC by Charles R. Anderson
Modified: 2012-12-15 19:35 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-15 19:35:41 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Charles R. Anderson 2012-03-26 02:32:49 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-1.fc17.x86_64
reason:         SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'write' accesses on the directory at-spi2.
time:           Sun 25 Mar 2012 10:32:30 PM EDT

description:
:SELinux is preven(removed)ing /usr/lib64/xulrunner-2/plugin-con(removed)ainer from 'wri(removed)e' accesses on (removed)he direc(removed)ory a(removed)-spi2.
:
:*****  Plugin ca(removed)chall (100. confidence) sugges(removed)s  ***************************
:
:If you believe (removed)ha(removed) plugin-con(removed)ainer should be allowed wri(removed)e access on (removed)he a(removed)-spi2 direc(removed)ory by defaul(removed).
:Then you should repor(removed) (removed)his as a bug.
:You can genera(removed)e a local policy module (removed)o allow (removed)his access.
:Do
:allow (removed)his access for now by execu(removed)ing:
:# grep plugin-con(removed)aine /var/log/audi(removed)/audi(removed).log | audi(removed)2allow -M mypol
:# semodule -i mypol.pp
:
:Addi(removed)ional Informa(removed)ion:
:Source Con(removed)ex(removed)                unconfined_u:unconfined_r:mozilla_plugin_(removed):s0-s0:c
:                              0.c1023
:Targe(removed) Con(removed)ex(removed)                sys(removed)em_u:objec(removed)_r:xdm_(removed)mp_(removed):s0
:Targe(removed) Objec(removed)s                a(removed)-spi2 [ dir ]
:Source                        plugin-con(removed)aine
:Source Pa(removed)h                   /usr/lib64/xulrunner-2/plugin-con(removed)ainer
:Por(removed)                          <Unknown>
:Hos(removed)                          (removed)
:Source RPM Packages           (removed)o(removed)em-mozplugin-3.3.90-2.fc17.x86_64
:Targe(removed) RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-104.fc17.noarch selinux-
:                              policy-3.10.0-106.fc17.noarch
:Selinux Enabled               True
:Policy Type                   (removed)arge(removed)ed
:Enforcing Mode                Enforcing
:Hos(removed) Name                     (removed)
:Pla(removed)form                      Linux (removed) 3.3.0-1.fc17.x86_64 #1 SMP Mon Mar 19
:                              03:03:39 UTC 2012 x86_64 x86_64
:Aler(removed) Coun(removed)                   10
:Firs(removed) Seen                    Sun 25 Mar 2012 10:18:26 PM EDT
:Las(removed) Seen                     Sun 25 Mar 2012 10:26:07 PM EDT
:Local ID                      0c54a5af-86ea-4ff3-897f-5df27f056693
:
:Raw Audi(removed) Messages
:(removed)ype=AVC msg=audi(removed)(1332728767.141:419): avc:  denied  { wri(removed)e } for  pid=7442 comm="(removed)o(removed)em-plugin-vi" name="a(removed)-spi2" dev="dm-1" ino=262184 scon(removed)ex(removed)=unconfined_u:unconfined_r:mozilla_plugin_(removed):s0-s0:c0.c1023 (removed)con(removed)ex(removed)=sys(removed)em_u:objec(removed)_r:xdm_(removed)mp_(removed):s0 (removed)class=dir
:
:
:(removed)ype=SYSCALL msg=audi(removed)(1332728767.141:419): arch=x86_64 syscall=bind success=no exi(removed)=EACCES a0=8 a1=7fffcebaa350 a2=25 a3=7fffcebaa040 i(removed)ems=0 ppid=1 pid=7442 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 (removed)(removed)y=(none) ses=10 comm=(removed)o(removed)em-plugin-vi exe=/usr/libexec/(removed)o(removed)em-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_(removed):s0-s0:c0.c1023 key=(null)
:
:Hash: plugin-con(removed)aine,mozilla_plugin_(removed),xdm_(removed)mp_(removed),dir,wri(removed)e
:
:audi(removed)2allowunable (removed)o open /sys/fs/selinux/policy:  Permission denied
:
:
:audi(removed)2allow -Runable (removed)o open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Miroslav Grepl 2012-03-26 14:11:47 UTC 
Could you please execute

# ausearch -m avc |grep mozilla_plugin_t
Comment 2 Pavel Ondračka 2012-05-20 08:43:42 UTC 
# ausearch -m avc |grep mozilla_plugin_t
type=AVC msg=audit(1337495227.984:393): avc:  denied  { setattr } for  pid=6043 comm="plugin-containe" name="at-spi2" dev="sda4" ino=262190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1337495227.984:394): avc:  denied  { write } for  pid=6043 comm="plugin-containe" name="at-spi2" dev="sda4" ino=262190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
Comment 3 Daniel Walsh 2012-05-21 14:04:36 UTC 
I guess we need to fix the removing of the hostname code in setroubleshoot.

Chuck did you actually see any loss of functionality, IE did the plugin seem to work ok.
Comment 4 Pavel Ondračka 2012-05-21 14:09:50 UTC 
I did not notice any functionality loss, just the selinux warning.
Note You need to log in before you can comment on or make changes to this bug.