Description of problem: SELinux is preventing /usr/bin/okular from write access on the file /home/GoinEasy9/Desktop/.directory Version-Release number of selected component (if applicable): selinux-policy-3.10.0-132.fc17.noarch How reproducible: Click on a link to a pdf file in Firefox. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: SELinux is preventing /usr/bin/okular from write access on the file /home/GoinEasy9/Desktop/.directory. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that okular should be allowed write access on the .directory file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep okular /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/GoinEasy9/Desktop/.directory [ file ] Source okular Source Path /usr/bin/okular Port <Unknown> Host fedora17kde64 Source RPM Packages okular-4.8.4-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 4 First Seen Thu 07 Jun 2012 04:49:13 PM EDT Last Seen Sun 24 Jun 2012 11:18:42 PM EDT Local ID cfb547f7-6ba6-4bbf-8efd-73f8bd11931c Raw Audit Messages type=AVC msg=audit(1340594322.702:164): avc: denied { write } for pid=15043 comm="okular" name=".directory" dev="sda4" ino=7864427 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1340594322.702:164): arch=x86_64 syscall=access success=no exit=EACCES a0=1d8c6c8 a1=2 a2=1d8c6c8 a3=86 items=0 ppid=15042 pid=15043 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=okular exe=/usr/bin/okular subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: okular,mozilla_plugin_t,user_home_t,file,write audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied ----------------------------------------------------------------------------- I closed Firefox and clicked on the link to the pdf a second time and was met with another AVC error. It was different from the first, but it also occurred when trying to replicate the problem for a third time. Listed below. ----------------------------------------------------------------------------- SELinux is preventing /usr/sbin/rpc.statd from using the setpcap capability. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rpc.statd should have the setpcap capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rpc.statd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rpcd_t:s0 Target Context system_u:system_r:rpcd_t:s0 Target Objects [ capability ] Source rpc.statd Source Path /usr/sbin/rpc.statd Port <Unknown> Host fedora17kde64 Source RPM Packages nfs-utils-1.2.6-2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 17 First Seen Fri 15 Jun 2012 11:42:56 PM EDT Last Seen Sun 24 Jun 2012 11:28:14 PM EDT Local ID bd099e41-ceec-4d4d-8a8a-279b4a079a5c Raw Audit Messages type=AVC msg=audit(1340594894.467:33): avc: denied { setpcap } for pid=760 comm="rpc.statd" capability=8 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=capability type=SYSCALL msg=audit(1340594894.467:33): arch=x86_64 syscall=prctl success=no exit=EPERM a0=18 a1=0 a2=0 a3=0 items=0 ppid=759 pid=760 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null) Hash: rpc.statd,rpcd_t,rpcd_t,capability,setpcap audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
A fourth attempt brought back the AVC error that I reported in Bug # 832570. You closed that bug and asked me to reopen it if it happened again. Since it happened in this series, I'll just list it again here. As per the questions asked on the last report, no, I have not run under permissive mode. I've been on enforcing exclusively since installing selinux-policy-3.10.0-132.fc17.noarch. # find /tmp -name icon-cache.kcache returns nothing. SELinux is preventing /usr/bin/okular from 'read, write' accesses on the file icon-cache.kcache. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that okular should be allowed read write access on the icon-cache.kcache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep okular /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects icon-cache.kcache [ file ] Source okular Source Path /usr/bin/okular Port <Unknown> Host fedora17kde64 Source RPM Packages okular-4.8.4-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 8 First Seen Thu 07 Jun 2012 04:49:07 PM EDT Last Seen Sun 24 Jun 2012 11:35:27 PM EDT Local ID fe871249-b741-4908-89b1-dc60dc71d26a Raw Audit Messages type=AVC msg=audit(1340595327.990:61): avc: denied { read write } for pid=1820 comm="okular" name="icon-cache.kcache" dev="sda3" ino=1833815 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1340595327.990:61): arch=x86_64 syscall=open success=no exit=EACCES a0=1a8a688 a1=80042 a2=1b6 a3=a7 items=0 ppid=1819 pid=1820 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=okular exe=/usr/bin/okular subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: okular,mozilla_plugin_t,tmp_t,file,read,write audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied All of these errors occurred after clicking on the link: http://sourceforge.net/projects/edk2/files/General%20Documentation/SigningUefiImages%20-v1dot1.pdf/download in Firefox.
rpcd_t and setpcat issue is fixed in the latest policy build. Do you use mozplugger+okular?
I do use mozplugger, and mozpluggerrc does have okular listed. I've downloaded selinux-policy-3.10.0-133.fc17 and will test. Thanks for the quick response.
mozplugger and confining mozilla plugin do not work together. You either need to remove mozplugger or execute setsebool -P unconfined_mozilla_plugin_transition 0
Thanks Dan In the spirit of confining user space, I'll leave the boolean enabled and disable mozplugger, and see how/if that affects my browsing using Firefox.
*** This bug has been marked as a duplicate of bug 835301 ***
*** Bug 835624 has been marked as a duplicate of this bug. ***