Bug 834864 - SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'create' accesses on the file .execooooKnBTH.
SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'create...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:a8b09735db73c2088872cfa334d...
:
: 907017 (view as bug list)
Depends On:
Blocks: 835301
  Show dependency treegraph
 
Reported: 2012-06-24 08:14 EDT by Odysseys
Modified: 2013-02-04 06:22 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 835301 (view as bug list)
Environment:
Last Closed: 2012-06-25 16:55:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Odysseys 2012-06-24 08:14:03 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.2-4.fc17.x86_64
time:           su 24. kesäkuuta 2012 15.13.27

description:
:SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'create' accesses on the file .execooooKnBTH.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that soffice.bin should be allowed create access on the .execooooKnBTH file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep soffice.bin /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                unconfined_u:object_r:user_home_dir_t:s0
:Target Objects                .execooooKnBTH [ file ]
:Source                        soffice.bin
:Source Path                   /usr/lib64/libreoffice/program/soffice.bin
:Port                          <Tuntematon>
:Host                          (removed)
:Source RPM Packages           libreoffice-core-3.5.4.2-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-130.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.2-4.fc17.x86_64 #1 SMP Thu
:                              Jun 14 22:22:05 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    su 24. kesäkuuta 2012 15.11.23
:Last Seen                     su 24. kesäkuuta 2012 15.11.23
:Local ID                      67f733ea-92bd-4a96-8537-f3569ba4ea38
:
:Raw Audit Messages
:type=AVC msg=audit(1340539883.402:120): avc:  denied  { create } for  pid=3280 comm="soffice.bin" name=".execooooKnBTH" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1340539883.402:120): arch=x86_64 syscall=open success=no exit=EACCES a0=2e28f30 a1=c2 a2=180 a3=d15df8e1be items=0 ppid=3266 pid=3280 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=soffice.bin exe=/usr/lib64/libreoffice/program/soffice.bin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: soffice.bin,mozilla_plugin_t,user_home_dir_t,file,create
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-06-25 16:55:37 EDT
If you want to run mozplugin you have to disable SELinux enforcement. 

So either 

yum remove mozplugger

or

setsebool -P 
unconfined_mozilla_plugin_transition 0
Comment 2 Mr. Meval 2012-11-03 04:10:01 EDT
Selinux troubleshooter says that plugins from the browser do not have permission to write to the users home directory. This is most likely a good thing. 

I've not had a problem leaving this alone with mozplugger.

This is a curious case since anything done via plugin should be denied.

The last two lines which have been blocked in your selinux troubleshooter for some reason are as follows. That would be better than the boolean but not by much. What should happen is the plugin creator work with Fedora to have it's own directory for writes in the user directory. It's much more complicated and probably will not happen. I've been looking to see if it's possible to allow by binary name, still not optimal though.

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_dir_t:file create;

audit2allow -R

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_dir_t:file create;
Comment 3 Miroslav Grepl 2013-02-04 06:22:17 EST
*** Bug 907017 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.