857996 – SELinux is preventing /usr/bin/nspluginviewer from 'execute' accesses on the file /usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so.

Bug 857996 - SELinux is preventing /usr/bin/nspluginviewer from 'execute' accesses on the file /usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so.

Summary: SELinux is preventing /usr/bin/nspluginviewer from 'execute' accesses on the ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nspluginwrapper
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:eb70dd782cdcc24d6ba3ec90dc4...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-17 17:55 UTC by long
Modified:	2012-09-20 14:10 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-09-20 14:10:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: type (9 bytes, text/plain) 2012-09-17 17:55 UTC, long	no flags	Details
File: hashmarkername (14 bytes, text/plain) 2012-09-17 17:55 UTC, long	no flags	Details
View All

Description long 2012-09-17 17:55:20 UTC

Additional info:
libreport version: 2.0.13
kernel:         3.5.3-1.fc17.x86_64

description:
:SELinux is preventing /usr/bin/nspluginviewer from 'execute' accesses on the file /usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that nspluginviewer should be allowed execute access on the nswrapper_32_64.libflashplayer.so file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep nspluginviewer /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:mozilla_plugin_rw_t:s0
:Target Objects                /usr/lib64/mozilla/plugins-
:                              wrapped/nswrapper_32_64.libflashplayer.so [ file ]
:Source                        nspluginviewer
:Source Path                   /usr/bin/nspluginviewer
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           kde-baseapps-4.8.5-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.3-1.fc17.x86_64 #1 SMP Wed Aug
:                              29 18:46:34 UTC 2012 x86_64 x86_64
:Alert Count                   4
:First Seen                    2012-09-17 12:37:45 CDT
:Last Seen                     2012-09-17 12:37:48 CDT
:Local ID                      fd272b24-874c-4aa9-9bbb-a87d38cdbaa7
:
:Raw Audit Messages
:type=AVC msg=audit(1347903468.691:374): avc:  denied  { execute } for  pid=22302 comm="nspluginviewer" path="/usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so" dev="sdb3" ino=20188863 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mozilla_plugin_rw_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1347903468.691:374): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=2215c0 a2=5 a3=802 items=0 ppid=22274 pid=22302 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=nspluginviewer exe=/usr/bin/nspluginviewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: nspluginviewer,mozilla_plugin_t,mozilla_plugin_rw_t,file,execute
:
:audit2allow
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t mozilla_plugin_rw_t:file execute;
:
:audit2allow -R
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t mozilla_plugin_rw_t:file execute;
:

Comment 1 long 2012-09-17 17:55:23 UTC

Created attachment 613752 [details]
File: type

Comment 2 long 2012-09-17 17:55:24 UTC

Created attachment 613753 [details]
File: hashmarkername

Comment 3 Daniel Walsh 2012-09-17 23:07:01 UTC

Did flash seem to work?  Also why are you using a 32 flash plugin when the 64 bit plugin is available.

Comment 4 long 2012-09-18 16:49:55 UTC

No, flash does not work in konqueror when this happens.  I have no idea why it is trying to use the 32-bit plugin.  I have both 32-bit and 64-bit versions installed.

Comment 5 Daniel Walsh 2012-09-20 01:28:08 UTC

I am hesitant to allow it to execute the same location that it writes.

You can turn off the protection of mozilla plugins by executing

setsebool -P 
unconfined_mozilla_plugin_transition 0

Comment 6 long 2012-09-20 14:04:48 UTC

If nspluginviewer isn't supposed to be "executing" its files isn't that a bug in the nspluginwrapper package?

Comment 7 Martin Stransky 2012-09-20 14:10:06 UTC

No, it's not a bug in nspluginwrapper package. It's a bug in flash-plugin. If you believe flash plugin should perform such action (I highly doubt so), follow comment 5.

Note You need to log in before you can comment on or make changes to this bug.