Bug 832570 - SELinux is preventing /usr/bin/okular from 'read, write' accesses on the file icon-cache.kcache.
SELinux is preventing /usr/bin/okular from 'read, write' accesses on the file...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-06-15 14:51 EDT by GoinEasy9
Modified: 2012-06-18 16:02 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-18 16:02:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description GoinEasy9 2012-06-15 14:51:29 EDT
Description of problem: SELinux is preventing /usr/bin/okular from 'read, write' accesses on the file icon-cache.kcache.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use okular mozilla plugin
Actual results:

Expected results:

Additional info:
SELinux is preventing /usr/bin/okular from 'read, write' accesses on the file icon-cache.kcache.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that okular should be allowed read write access on the icon-cache.kcache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep okular /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                icon-cache.kcache [ file ]
Source                        okular
Source Path                   /usr/bin/okular
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           okular-4.8.3-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-130.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 13 Jun 2012 05:47:43 PM EDT
Last Seen                     Wed 13 Jun 2012 05:47:43 PM EDT
Local ID                      a595523e-a145-4ea1-97e8-b9a34c139e61

Raw Audit Messages
type=AVC msg=audit(1339624063.549:74): avc:  denied  { read write } for  pid=3362 comm="okular" name="icon-cache.kcache" dev="sda3" ino=1833815 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1339624063.549:74): arch=x86_64 syscall=open success=no exit=EACCES a0=1b86418 a1=80042 a2=1b6 a3=a7 items=0 ppid=3361 pid=3362 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=okular exe=/usr/bin/okular subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0 key=(null)

Hash: okular,mozilla_plugin_t,tmp_t,file,read,write

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied

audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Daniel Walsh 2012-06-15 16:11:19 EDT
Where is icon-cache.kcache file located?  Did you run your machine in permissive mode?

find /tmp -name icon-cache.kcache
Comment 2 GoinEasy9 2012-06-16 19:45:58 EDT
[root@fedora17kde64 GoinEasy9]# find /tmp -name icon-cache.kcache
[root@fedora17kde64 GoinEasy9]#

I did this while running okular in Firefox, nothing found.

I haven't run in permissive mode since the origional problem started (the .kde gnomeclock problem).  I either have it enforcing, or disabled.  I usually just change it temporarily to disabled for testing before I do a relabel.
Comment 3 Daniel Walsh 2012-06-18 16:02:39 EDT
Ok if it happens again, please reopen the bug.  It could have been a permissive domain that created the file.  We would expect that no "tmp_t" file can be created, that is why I asked if you were in permissive mode.

If this happens again please reopen the bug.

Note You need to log in before you can comment on or make changes to this bug.