Bug 865328 - SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from 'getattr' accesses on the filesystem /.
SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from 'getattr' acce...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:72842236bf14eac8ff1c4db6ed4...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-11 04:56 EDT by Armando
Modified: 2012-12-20 10:55 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:54:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-11 04:56 EDT, Armando
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-11 04:56 EDT, Armando
no flags Details

  None (edit)
Description Armando 2012-10-11 04:56:51 EDT
Additional info:
libreport version: 2.0.14
kernel:         3.5.6-1.fc17.x86_64

description:
:SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from 'getattr' accesses on the filesystem /.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If você acredita que o npconfig deva ser permitido acesso de getattr em  filesystem  por default.
:Then você precisa reportar este como um erro.
:Você pode gerar um módulo de política local para permitir este acesso.
:Do
:permitir este acesso agora executando:
:# grep npconfig /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_config_t:
:                              s0-s0:c0.c1023
:Target Context                system_u:object_r:fs_t:s0
:Target Objects                / [ filesystem ]
:Source                        npconfig
:Source Path                   /usr/lib64/nspluginwrapper/npconfig
:Port                          <Desconhecido>
:Host                          (removed)
:Source RPM Packages           nspluginwrapper-1.4.4-12.fc17.x86_64
:Target RPM Packages           filesystem-3-2.fc17.x86_64
:Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.6-1.fc17.x86_64 #1 SMP Sun Oct
:                              7 19:31:14 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-11 05:56:27 BRT
:Last Seen                     2012-10-11 05:56:27 BRT
:Local ID                      efc6c728-f3f1-4f1b-b682-de1b769f76ff
:
:Raw Audit Messages
:type=AVC msg=audit(1349945787.427:87): avc:  denied  { getattr } for  pid=3206 comm="npconfig" name="/" dev="dm-1" ino=2 scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
:
:
:type=SYSCALL msg=audit(1349945787.427:87): arch=x86_64 syscall=fstatfs success=yes exit=0 a0=3 a1=7fff633a3b80 a2=0 a3=7fff633a38f0 items=0 ppid=3189 pid=3206 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=npconfig exe=/usr/lib64/nspluginwrapper/npconfig subj=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 key=(null)
:
:Hash: npconfig,mozilla_plugin_config_t,fs_t,filesystem,getattr
:
:audit2allow
:
:#============= mozilla_plugin_config_t ==============
:allow mozilla_plugin_config_t fs_t:filesystem getattr;
:
:audit2allow -R
:
:#============= mozilla_plugin_config_t ==============
:allow mozilla_plugin_config_t fs_t:filesystem getattr;
:
Comment 1 Armando 2012-10-11 04:56:54 EDT
Created attachment 625414 [details]
File: type
Comment 2 Armando 2012-10-11 04:56:57 EDT
Created attachment 625415 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-10-11 22:42:19 EDT
I just allowed this in F18.
Comment 4 long 2012-10-12 17:06:10 EDT
I started firefox after it was updated.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 5 Fedora Update System 2012-10-17 08:35:39 EDT
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17
Comment 6 Fedora Update System 2012-10-17 20:27:02 EDT
Package selinux-policy-3.10.0-156.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17
then log in and leave karma (feedback).
Comment 7 Mike 2012-10-19 12:11:11 EDT
Every time I open Firefox, SELinux reports this error.  Firefox seems to work fine when I ignore it, so I'm not sure what is going on.  Flash seems to work fine as well.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 8 Mike 2012-10-19 13:34:34 EDT
Just to update:

# yum -C list installed firefox* selinux-policy* nsplugin* flash-plugin*
Loaded plugins: langpacks, presto, refresh-packagekit, security
Installed Packages
firefox.x86_64                                             16.0.1-1.fc17                                    @updates         
flash-plugin.i386                                          11.2.202.243-release                             @adobe-linux-i386
nspluginwrapper.i686                                       1.4.4-12.fc17                                    @updates         
nspluginwrapper.x86_64                                     1.4.4-12.fc17                                    @updates         
selinux-policy.noarch                                      3.10.0-156.fc17                                  @updates-testing 
selinux-policy-devel.noarch                                3.10.0-156.fc17                                  @updates-testing 
selinux-policy-targeted.noarch                             3.10.0-156.fc17                                  @updates-testing 


That said, the updates from the test repository did not make any difference (tested after reboot just to make sure, but same thing).

Thanks.
Comment 9 Johan Hedin 2012-10-20 07:03:02 EDT
I can also verify that this bug is _not_ fixed in selinux-policy-3.10.0-156.fc17.

Even though you normally see this when starting firefox, the issue is with the nspluginwrapper package (currently at 1.4.4-12 in Fedora 17).

This is what happens:

When you start firefox you run the script /usr/bin/firefox. This script checks if nspluginwrapper is installed by checking for the presence of /usr/bin/mozilla-plugin-config. If it is present it runs it.

mozilla-plugin-config in turn belongs to the nspluginwrapper package and is a script that runs the binary /usr/lib64/nspluginwrapper/plugin-config. This binary has the label mozilla_plugin_config_exec_t so I guess that this in turn transitions plugin-config to mozilla_plugin_t when executed.

plugin-config in turn seem to run /usr/lib64/nspluginwrapper/npconfig which is what show up in the SELinux alerts.

The reason to run mozilla-plugin-config in the first place is so that newly added firefox plugins is linked/wrapped properly before firefox starts. You can also run mozilla-plugin-config from the command line and get exactly the same SELinux error.

This error does not seem to affect the function of nspluginwrapper but is of course an annoyance as you see it every time you start firefox.

Creating a selinux module as suggested by SETroubleshhot and loading it "fixes" the problem an I don't see any more SElinux alerts with respect to this specific issue.

Just to be complete, below is what SETroubleshoot says both when I start firefox or when I run mozilla-plugin-config from the command line:

SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that npconfig should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep npconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_config_t:
                              s0-s0:c0.c1023
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        npconfig
Source Path                   /usr/lib64/nspluginwrapper/npconfig
Port                          <Unknown>
Host                          zeuse
Source RPM Packages           nspluginwrapper-1.4.4-12.fc17.x86_64
Target RPM Packages           filesystem-3-2.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     zeuse
Platform                      Linux zeuse 3.6.2-4.fc17.x86_64 #1 SMP Wed Oct 17
                              02:43:21 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-10-20 12:32:51 CEST
Last Seen                     2012-10-20 12:32:51 CEST
Local ID                      5bddccab-f1ef-4cdd-b99d-1b3f43a6106a

Raw Audit Messages
type=AVC msg=audit(1350729171.548:71): avc:  denied  { getattr } for  pid=1658 comm="npconfig" name="/" dev="dm-1" ino=2 scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem


type=SYSCALL msg=audit(1350729171.548:71): arch=x86_64 syscall=fstatfs success=no exit=EACCES a0=3 a1=7fff0201add0 a2=0 a3=ffffffff items=0 ppid=1643 pid=1658 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=1 comm=npconfig exe=/usr/lib64/nspluginwrapper/npconfig subj=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 key=(null)

Hash: npconfig,mozilla_plugin_config_t,fs_t,filesystem,getattr

audit2allow

#============= mozilla_plugin_config_t ==============
allow mozilla_plugin_config_t fs_t:filesystem getattr;

audit2allow -R

#============= mozilla_plugin_config_t ==============
allow mozilla_plugin_config_t fs_t:filesystem getattr;
Comment 10 Miroslav Grepl 2012-10-22 04:47:13 EDT
I see it now. This is about

mozilla_plugin_config_t

but we have a fix for

mozilla_plugin_t
Comment 11 Miroslav Grepl 2012-10-22 04:51:49 EDT
Added.

commit 8cf9be24ec7f1c2d4a8041eb5cddd7c6c7958900
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Oct 22 10:49:50 2012 +0200

    Allow mozilla-plugin-config to getattr on all fs
Comment 12 dan 2012-10-25 10:31:36 EDT
I'm trying to create a openvpn connection and selinux keeps giving errors. 

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 13 Fedora Update System 2012-11-06 03:22:22 EST
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 14 Fedora Update System 2012-11-07 21:04:44 EST
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 15 Johan Hedin 2012-11-08 16:35:11 EST
Problem fixed for me with the update in the testing repo. Positive karma given. 

BTW, has this fix found its way into the Fedora 18 policy as well? I see from the early comment from Dan that Fedora 18 will allow this, but since it took two rounds to get this right in Fedora 17 I'm just checking.

Good work anyway!
Comment 16 Mike 2012-11-08 16:59:03 EST
I concur; the issue is resolved for me as well.  This is awesome!  Thank you!  :)
Comment 17 Daniel Walsh 2012-11-08 17:06:05 EST
We work in the latest release and back port.
Comment 18 Fedora Update System 2012-12-20 10:55:06 EST
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.