Bug 862097 - SELinux is preventing /usr/libexec/totem-plugin-viewer from setattr access on the file ParseLock002
Summary: SELinux is preventing /usr/libexec/totem-plugin-viewer from setattr access on...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-01 20:54 UTC by renke
Modified: 2012-12-20 16:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 16:25:21 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description renke 2012-10-01 20:54:33 UTC
Description of problem:
Firefox + totem-mozplugin in combination with a strict SELinux policy show AVC warbings


Version-Release number of selected component (if applicable):
firefox.x86_64 15.0.1-1.fc17, totem-mozplugin.x86_64 1:3.4.3-1.fc17, selinux-policy.noarch 3.10.0-149.fc17


How reproducible:
open a link to a file handled by the totem-plugin

Additional info:

SELinux is preventing /usr/libexec/totem-plugin-viewer from setattr access on the file ParseLock002.

*****  Plugin catchall (100. confidence) suggests  ***************************

If sie denken, dass totem-plugin-viewer standardmässig erlaubt sein sollte, setattr Zugriff auf ParseLock002 file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep totem-plugin-vi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_tmpfs_t:s0
Target Objects                ParseLock002 [ file ]
Source                        totem-plugin-vi
Source Path                   /usr/libexec/totem-plugin-viewer
Port                          <Unbekannt>
Host                          auweia
Source RPM Packages           totem-mozplugin-3.4.3-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     auweia
Platform                      Linux auweia 3.5.4-2.fc17.x86_64 #1 SMP Wed Sep 26
                              21:58:50 UTC 2012 x86_64 x86_64
Alert Count                   10
First Seen                    2012-09-26 20:43:42 CEST
Last Seen                     2012-10-01 22:41:04 CEST
Local ID                      212adf87-3e09-415e-9473-a16feae0f60c

Raw Audit Messages
type=AVC msg=audit(1349124064.437:308): avc:  denied  { setattr } for  pid=7423 comm="totem-plugin-vi" name="ParseLock002" dev="tmpfs" ino=21058 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmpfs_t:s0 tclass=file


type=SYSCALL msg=audit(1349124064.437:308): arch=x86_64 syscall=fchmod success=no exit=EACCES a0=a a1=1b6 a2=1b6 a3=80 items=0 ppid=1 pid=7423 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=11 comm=totem-plugin-vi exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: totem-plugin-vi,mozilla_plugin_t,user_tmpfs_t,file,setattr

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_tmpfs_t:file setattr;

audit2allow -R

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_tmpfs_t:file setattr;

Comment 1 Miroslav Grepl 2012-10-17 07:56:00 UTC
We added some fixes to make this working.

Comment 2 Fedora Update System 2012-10-17 12:34:46 UTC
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17

Comment 3 Fedora Update System 2012-10-18 00:26:01 UTC
Package selinux-policy-3.10.0-156.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2012-12-20 16:25:25 UTC
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.