Description of problem: SELinux is preventing /usr/bin/okular from 'read, write' accesses on the file icon-cache.kcache. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-130.fc17.noarch How reproducible: Steps to Reproduce: 1. use okular mozilla plugin 2. 3. Actual results: Expected results: Additional info: SELinux is preventing /usr/bin/okular from 'read, write' accesses on the file icon-cache.kcache. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that okular should be allowed read write access on the icon-cache.kcache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep okular /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects icon-cache.kcache [ file ] Source okular Source Path /usr/bin/okular Port <Unknown> Host fedora17kde64 Source RPM Packages okular-4.8.3-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-130.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Wed 13 Jun 2012 05:47:43 PM EDT Last Seen Wed 13 Jun 2012 05:47:43 PM EDT Local ID a595523e-a145-4ea1-97e8-b9a34c139e61 Raw Audit Messages type=AVC msg=audit(1339624063.549:74): avc: denied { read write } for pid=3362 comm="okular" name="icon-cache.kcache" dev="sda3" ino=1833815 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1339624063.549:74): arch=x86_64 syscall=open success=no exit=EACCES a0=1b86418 a1=80042 a2=1b6 a3=a7 items=0 ppid=3361 pid=3362 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=okular exe=/usr/bin/okular subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0 key=(null) Hash: okular,mozilla_plugin_t,tmp_t,file,read,write audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
Where is icon-cache.kcache file located? Did you run your machine in permissive mode? find /tmp -name icon-cache.kcache
[root@fedora17kde64 GoinEasy9]# find /tmp -name icon-cache.kcache [root@fedora17kde64 GoinEasy9]# I did this while running okular in Firefox, nothing found. I haven't run in permissive mode since the origional problem started (the .kde gnomeclock problem). I either have it enforcing, or disabled. I usually just change it temporarily to disabled for testing before I do a relabel.
Ok if it happens again, please reopen the bug. It could have been a permissive domain that created the file. We would expect that no "tmp_t" file can be created, that is why I asked if you were in permissive mode. If this happens again please reopen the bug.