Bug 868533 - SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from 'read' accesses on the file /proc/<pid>/status.
SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from 'read' ac...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:70d935236e57812fa4eb28cbf92...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-20 13:18 EDT by Ernesto
Modified: 2014-02-05 18:22 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-05 18:22:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-20 13:18 EDT, Ernesto
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-20 13:18 EDT, Ernesto
no flags Details

  None (edit)
Description Ernesto 2012-10-20 13:18:35 EDT
Additional info:
libreport version: 2.0.16
kernel:         3.6.2-2.fc18.x86_64
Comment 1 Ernesto 2012-10-20 13:18:40 EDT
Created attachment 630499 [details]
File: type
Comment 2 Ernesto 2012-10-20 13:18:45 EDT
Created attachment 630500 [details]
File: hashmarkername
Comment 3 Dominick Grift 2012-10-20 15:24:59 EDT
Can you enclose the actual avc denial of this event?

You can get it with :

ausearch -m avc -ts today
Comment 4 Ernesto 2012-10-21 15:29:35 EDT
Is this useful?

ausearch -m avc -ts yesterday | grep nsplu

type=SYSCALL msg=audit(1350752936.874:335): arch=c000003e syscall=59 success=yes exit=0 a0=21c3250 a1=21c3190 a2=21c28c0 a3=18 items=0 ppid=2120 pid=2122 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="plugin-config" exe="/usr/lib64/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 key=(null)
Comment 5 Dominick Grift 2012-10-21 17:12:23 EDT
Not really no, This is the type=SYSCALL and i am looking for the type=AVC line instead

If its not there then the event may have been silently blocked
Can you reproduce this event?

if so:

1. semodule -DB
2. reproduce event
3. ausearch -m avc -ts recent
4. semodule -B

Then enclose the line(s) that have type=AVC instead of type=SYSCALL


Thanks
Comment 6 Ernesto 2012-10-22 21:08:03 EDT
I tried to reproduce it and didn't happen. A few hours later I started my browser and bam!
Here's the output of 'ausearch -m avc -ts today' (without the 'semodule -DB' thing before). You can see a lot of AVC, but nothing about plugin-config:
----
time->Mon Oct 22 18:38:37 2012
type=SYSCALL msg=audit(1350941917.593:161): arch=c000003e syscall=87 success=no exit=-13 a0=7fa1250fbe64 a1=7fa125ac9516 a2=7fff584b8eb0 a3=7fff584b8c20 items=0 ppid=1 pid=962 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/usr/sbin/rpcbind" subj=system_u:system_r:rpcbind_t:s0 key=(null)
type=AVC msg=audit(1350941917.593:161): avc:  denied  { unlink } for  pid=962 comm="rpcbind" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Mon Oct 22 18:38:37 2012
type=SYSCALL msg=audit(1350941917.603:166): arch=c000003e syscall=2 success=no exit=-13 a0=7fa123c9c6ea a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/usr/sbin/rpcbind" subj=system_u:system_r:rpcbind_t:s0 key=(null)
type=AVC msg=audit(1350941917.603:166): avc:  denied  { read } for  pid=972 comm="rpcbind" name="passwd" dev="sda2" ino=920640 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Mon Oct 22 18:38:38 2012
type=SYSCALL msg=audit(1350941918.641:231): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7fff5b5fa0f0 a2=17 a3=7fff5b5f9b00 items=0 ppid=1015 pid=1024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1350941918.641:231): avc:  denied  { write } for  pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Mon Oct 22 18:38:38 2012
type=SYSCALL msg=audit(1350941918.646:232): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1350941918.646:232): avc:  denied  { write } for  pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Mon Oct 22 18:38:38 2012
type=SYSCALL msg=audit(1350941918.650:233): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1350941918.650:233): avc:  denied  { write } for  pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Mon Oct 22 18:38:38 2012
type=SYSCALL msg=audit(1350941918.654:234): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1350941918.654:234): avc:  denied  { write } for  pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Mon Oct 22 18:38:38 2012
type=SYSCALL msg=audit(1350941918.657:235): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fff5b5f9f60 a2=17 a3=8 items=0 ppid=1015 pid=1024 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1350941918.657:235): avc:  denied  { write } for  pid=1024 comm="rpc.statd" name="rpcbind.sock" dev="tmpfs" ino=15537 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Mon Oct 22 18:40:15 2012
type=SYSCALL msg=audit(1350942015.726:330): arch=c000003e syscall=2 success=no exit=-13 a0=274cd80 a1=c2 a2=180 a3=0 items=0 ppid=2005 pid=2097 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350942015.726:330): avc:  denied  { create } for  pid=2097 comm="totem-video-thu" name="registry.x86_64.bin.tmpMM6XMW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Mon Oct 22 18:40:15 2012
type=SYSCALL msg=audit(1350942015.727:331): arch=c000003e syscall=2 success=no exit=-13 a0=274cd80 a1=c2 a2=180 a3=1 items=0 ppid=2005 pid=2097 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350942015.727:331): avc:  denied  { create } for  pid=2097 comm="totem-video-thu" name="registry.x86_64.bin.tmpOC6XMW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
Comment 7 Dominick Grift 2012-10-23 06:41:12 EDT
Yes those are not related but interesting nonetheless

I suspect the mislabeled rpcbind.sock is due to systemd socket activation

looks like thumb_t needs to be able to manage generic cache home files

And rpcd_t needs to be able to read /etc/passwd

With regard to nsplugin plugin config:

Without the avc denial it is hard to determine which type of process state files it was trying to access.

So not much we can do until we see the AVC denial of the event i suspect

Keep an eye on your audit.log and if you see any related avc denials please let us know
Comment 8 Miroslav Grepl 2012-10-23 07:59:45 EDT
How do you start rpcbind?

Also what is your policy version?

# rpm -q selinux-policy
Comment 9 Ernesto 2012-10-23 11:28:19 EDT
> How do you start rpcbind?

I don't know how rpcbind works, but I can guess how it's started:

# systemctl | grep rpcbind
rpcbind.socket         loaded active listening     RPCbind Server....

> rpm -q selinux-policy
selinux-policy-3.11.1-36.fc18.noarch
Comment 10 Daniel Walsh 2012-10-24 15:01:43 EDT
I wonder if there is a bug in /var/run/rpcbind.sock file creation.  Where systemd is mislabeling it.
I just checked in a fix so all files /var/run/rpcbind.* will be labeled rpcbind_var_run_t.  
I am thinking systemd was asking for the label of /var/run/rpcbind.sock as a file not a sock_file.

Activation is supposed to label the sock file correctly.
Comment 11 Michael Scherer 2012-12-02 13:21:08 EST
mozilla crashed, so i submitted a report to mozilla, and then selinux prevented the plugin from submitting it.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 12 Miroslav Grepl 2012-12-03 05:19:28 EST
Package selinux-policy-3.11.1-59.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18
then log in and leave karma (feedback).
Comment 13 Yann Droneaud 2013-01-05 09:46:21 EST
Firefox crashed and then a security alert was triggered.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 14 Fedora End Of Life 2013-12-21 10:49:29 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 15 Fedora End Of Life 2014-02-05 18:22:42 EST
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.