Bug 818852 - SELinux alerts from plugin-container
SELinux alerts from plugin-container
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-05-04 04:08 EDT by Tim Waugh
Modified: 2012-06-22 09:08 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-22 09:08:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tim Waugh 2012-05-04 04:08:04 EDT
Description of problem:
I get alerts of this type while browsing:

SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from create access on the file wakeup.sxx.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that plugin-container should be allowed create access on the wakeup.sxx file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                wakeup.sxx [ file ]
Source                        plugin-containe
Source Path                   /usr/lib64/xulrunner-2/plugin-container
Port                          <Unknown>
Host                          rubik.elk
Source RPM Packages           xulrunner-12.0-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-118.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rubik.elk
Platform                      Linux rubik.elk 3.3.4-1.fc17.x86_64 #1 SMP Fri Apr
                              27 18:39:03 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 04 May 2012 09:00:45 BST
Last Seen                     Fri 04 May 2012 09:00:45 BST
Local ID                      81b212b7-0914-49d4-ab45-5512ce464804

Raw Audit Messages
type=AVC msg=audit(1336118445.406:946): avc:  denied  { create } for  pid=3134 comm="plugin-containe" name="wakeup.sxx" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1336118445.406:946): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffa15d0f040 a1=442 a2=1b6 a3=ffffff00 items=0 ppid=3084 pid=3134 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=2 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: plugin-containe,mozilla_plugin_t,user_home_t,file,create

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied

audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

Version-Release number of selected component (if applicable):

How reproducible:
Additional info:
The *.sxx filename varies.
Comment 1 Martin Stransky 2012-05-04 04:17:15 EDT
plugin-container does not live itself, which plugin do you run there?
Comment 2 Tim Waugh 2012-05-04 04:20:04 EDT
I think it comes from flash-plugin.
Comment 3 Martin Stransky 2012-05-04 04:25:58 EDT
Does the flash-plugin crash or so? I'm not sure we want to allow it to lay files over the system...
Comment 4 Tim Waugh 2012-05-04 06:52:34 EDT
No, seems unaffected.
Comment 5 Martin Stransky 2012-05-04 07:19:05 EDT
Okay, I guess it's okay to disable flash to save files.
Comment 6 Daniel Walsh 2012-05-04 07:45:43 EDT
Tim do you know which directory it was trying to write this to?  Might be mislabeled content in the homedir?  Is there a flash directory in your homedir?
Comment 7 Tim Waugh 2012-05-04 10:35:25 EDT
Oh, restorecon -vR $HOME seems to have fixed it.
Comment 8 Daniel Walsh 2012-05-04 16:03:59 EDT
Yes mozilla_plugin can write to a bunch of subdirs in the homedir, but they have to be labelled correctly.
Comment 9 Thanh Bui 2012-06-08 05:20:16 EDT
If flash-plugin is running a .swf file which use flash.net.FileReference (1)
then selinux will prevent the .swf file (from saving file - for example) & throw this alert.

(1) http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/FileReference.html
Comment 10 Daniel Walsh 2012-06-08 06:55:09 EDT
I guess if you want this to work you would need to turn off the protection.

# setsebool -P unconfined_mozilla_plugin_transition = 1

Note You need to log in before you can comment on or make changes to this bug.