Bug 871676 - SELinux is preventing pool from 'read' accesses on the file /etc/rc.d/init.d/network.
Summary: SELinux is preventing pool from 'read' accesses on the file /etc/rc.d/init.d/...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:82f16d75a9d1ebee49197bbc2da...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-31 03:07 UTC by Rex
Modified: 2012-11-06 14:44 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-11-06 09:43:04 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-31 03:07 UTC, Rex 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-31 03:07 UTC, Rex 		no flags Details
View All

Description Rex 2012-10-31 03:07:22 UTC 
Description of problem:
I can reproduce this by using Yahoo mail, composing a message and clicking the attach files button. This issue is new to the update I just downloaded.

Additional info:
libreport version: 2.0.16
kernel:         3.6.3-1.fc17.x86_64

description:
:SELinux is preventing pool from 'read' accesses on the file /etc/rc.d/init.d/network.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that pool should be allowed read access on the network file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep pool /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:initrc_exec_t:s0
:Target Objects                /etc/rc.d/init.d/network [ file ]
:Source                        pool
:Source Path                   pool
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           xulrunner-16.0.2-1.fc17.x86_64
:Target RPM Packages           initscripts-9.37.1-1.fc17.x86_64
:Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.3-1.fc17.x86_64 #1 SMP Mon Oct
:                              22 15:32:35 UTC 2012 x86_64 x86_64
:Alert Count                   16
:First Seen                    2012-10-30 20:00:00 PDT
:Last Seen                     2012-10-30 20:03:24 PDT
:Local ID                      2dc22ffd-2ccb-4e5e-8c50-244432bdb609
:
:Raw Audit Messages
:type=AVC msg=audit(1351652604.622:200): avc:  denied  { read } for  pid=4512 comm="pool" name="network" dev="sda7" ino=155067 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1351652604.622:200): arch=x86_64 syscall=open success=no exit=EACCES a0=7fec92f320e0 a1=40000 a2=7fec92f042b0 a3=0 items=0 ppid=4216 pid=4512 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=7 comm=pool exe=/usr/lib64/xulrunner/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: pool,mozilla_plugin_t,initrc_exec_t,file,read
:
:audit2allow
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t initrc_exec_t:file read;
:
:audit2allow -R
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t initrc_exec_t:file read;
:
Comment 1 Rex 2012-10-31 03:07:26 UTC 
Created attachment 635921 [details]
File: type
Comment 2 Rex 2012-10-31 03:07:28 UTC 
Created attachment 635922 [details]
File: hashmarkername
Comment 3 Rex 2012-10-31 03:11:14 UTC 
I should add, this only happens when yahoo's default, multi-file uploader is selected. selecting the single file upload tool will allow it to complete.
Comment 4 Daniel Walsh 2012-10-31 10:45:01 UTC 
Does the multi-file uploader work even with the AVC?
Comment 5 Rex 2012-10-31 13:48:23 UTC 
I dont know what you mean by AVC. I cannot use the multi-uploader at all from either a USB drive or from a mounted ntfs partition. It will allow access to all of the ext4 partitions.
Comment 6 Daniel Walsh 2012-10-31 14:20:32 UTC 
Rex, can you execute, the following as root.

# setenforce 0

Then execute the multi-file uploader.

Finally execute

# ausearch -m avc -ts recent

And attach the output.
Comment 7 Rex 2012-10-31 19:05:03 UTC 
After executing the first command, I was able to browse and attach files from my drives.

[root@Rex-Fedora rex]# ausearch -m avc -ts recent
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.870:127): arch=c000003e syscall=2 success=no exit=-1 a0=7f0b5e402440 a1=40000 a2=7f0b66e58040 a3=0 items=0 ppid=2758 pid=3092 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.870:127): avc:  denied  { read } for  pid=3092 comm="pool" name="tcsd" dev="sda7" ino=163844 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tcsd_initrc_exec_t:s0 tclass=file
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.869:126): arch=c000003e syscall=4 success=yes exit=0 a0=7f0b5e402440 a1=7f0b602569d0 a2=7f0b602569d0 a3=38c48844f0 items=0 ppid=2758 pid=3092 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.869:126): avc:  denied  { getattr } for  pid=3092 comm="pool" path="/etc/rc.d/init.d/tcsd" dev="sda7" ino=163844 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tcsd_initrc_exec_t:s0 tclass=file
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.870:128): arch=c000003e syscall=2 success=yes exit=21 a0=7f0b5e402440 a1=0 a2=1 a3=0 items=0 ppid=2758 pid=3092 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.870:128): avc:  denied  { open } for  pid=3092 comm="pool" path="/etc/rc.d/init.d/tcsd" dev="sda7" ino=163844 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tcsd_initrc_exec_t:s0 tclass=file
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.870:129): arch=c000003e syscall=6 success=yes exit=0 a0=7f0b5e4180a0 a1=7f0b61258940 a2=7f0b61258940 a3=7f0b62544060 items=0 ppid=2758 pid=3090 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.870:129): avc:  denied  { getattr } for  pid=3090 comm="pool" path="/etc/rc.d/init.d/jexec" dev="sda7" ino=131106 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.870:130): arch=c000003e syscall=2 success=no exit=-1 a0=7f0b5e4180a0 a1=40000 a2=7f0b66e58040 a3=0 items=0 ppid=2758 pid=3090 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.870:130): avc:  denied  { read } for  pid=3090 comm="pool" name="jexec" dev="sda7" ino=131106 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.870:131): arch=c000003e syscall=2 success=yes exit=20 a0=7f0b5e4180a0 a1=0 a2=1 a3=0 items=0 ppid=2758 pid=3090 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.870:131): avc:  denied  { open } for  pid=3090 comm="pool" path="/etc/rc.d/init.d/jexec" dev="sda7" ino=131106 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.869:132): arch=c000003e syscall=6 success=yes exit=0 a0=7f0b5e40cd80 a1=7f0b5fa55940 a2=7f0b5fa55940 a3=ffffffff items=0 ppid=2758 pid=3093 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.869:132): avc:  denied  { getattr } for  pid=3093 comm="pool" path=2F72756E2F6D656469612F7265782F446174612F456D706C6F796D656E742F52657820536865666669656C6420526573756D65312E646F63 dev="sdb1" ino=12344 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
----
time->Wed Oct 31 12:01:28 2012
type=SYSCALL msg=audit(1351710088.872:133): arch=c000003e syscall=2 success=yes exit=20 a0=7f0b5e40cd80 a1=40000 a2=7f0b66e58040 a3=fffffffffffff40c items=0 ppid=2758 pid=3093 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710088.872:133): avc:  denied  { open } for  pid=3093 comm="pool" path=2F72756E2F6D656469612F7265782F446174612F456D706C6F796D656E742F52657820536865666669656C6420526573756D65312E646F63 dev="sdb1" ino=12344 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
type=AVC msg=audit(1351710088.872:133): avc:  denied  { read } for  pid=3093 comm="pool" name=52657820536865666669656C6420526573756D65312E646F63 dev="sdb1" ino=12344 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
----
time->Wed Oct 31 12:01:30 2012
type=SYSCALL msg=audit(1351710090.313:134): arch=c000003e syscall=257 success=yes exit=20 a0=ffffffffffffff9c a1=7f0b5e402060 a2=90800 a3=0 items=0 ppid=2758 pid=3176 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710090.313:134): avc:  denied  { read } for  pid=3176 comm="pool" name="/" dev="sda2" ino=5 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
----
time->Wed Oct 31 12:01:30 2012
type=SYSCALL msg=audit(1351710090.316:135): arch=c000003e syscall=6 success=yes exit=0 a0=7f0b5e40ce40 a1=7f0b61258950 a2=7f0b61258950 a3=0 items=0 ppid=2758 pid=3090 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710090.316:135): avc:  denied  { getattr } for  pid=3090 comm="pool" path=2F72756E2F6D656469612F7265782F57696E372F446F63756D656E747320616E642053657474696E6773 dev="sda2" ino=17572 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file
----
time->Wed Oct 31 12:01:30 2012
type=SYSCALL msg=audit(1351710090.316:136): arch=c000003e syscall=4 success=yes exit=0 a0=7f0b5e40ce40 a1=7f0b612589e0 a2=7f0b612589e0 a3=0 items=0 ppid=2758 pid=3090 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="pool" exe="/usr/lib64/xulrunner/plugin-container" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351710090.316:136): avc:  denied  { read } for  pid=3090 comm="pool" name=446F63756D656E747320616E642053657474696E6773 dev="sda2" ino=17572 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file
Comment 8 Daniel Walsh 2012-11-01 14:51:48 UTC 
If you turn on this boolean, you might get the behaviour you want.

# setsebool -P use_fusefs_home_dirs 1

I have no idea why it is reading the initrc scripts.

Why would a plugin want to read the tcsd or jexec, unless you were attempting to upload those?
Comment 9 Rex 2012-11-02 00:46:06 UTC 
I was only attempting to upload a .docx on a mounted NTFS drive. Everything is still working fine since executing 'setenforce 0' the other day, so I guess we will see what happens.
Comment 10 Daniel Walsh 2012-11-05 18:37:06 UTC 
Did you execute this command?

 setsebool -P use_fusefs_home_dirs 1
Comment 11 Rex 2012-11-06 04:57:06 UTC 
I attempted to. I get the error 

setsebool: illegal value l for boolean use_fusefs_home_dirs

I haven't really had time to try anything else, been a busy week.
Comment 12 Miroslav Grepl 2012-11-06 09:43:04 UTC 
You used "l" letter instead of "1" digit.
Comment 13 Rex 2012-11-06 14:44:39 UTC 
Oops. Of course. 
After executing that command, I no longer see the read denial error. Thank you.
Note You need to log in before you can comment on or make changes to this bug.