Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 887509 - SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from using the 'dac_override' capabilities.
Summary: SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from using the 'd...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5888f321769b7f48574608dd1d5...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-15 19:53 UTC by skotsezos13
Modified: 2012-12-17 11:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-17 11:24:49 UTC
Type: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-12-15 19:53 UTC, skotsezos13
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-12-15 19:53 UTC, skotsezos13
no flags Details

Description skotsezos13 2012-12-15 19:53:50 UTC
Additional info:
libreport version: 2.0.18
kernel:         3.6.9-2.fc17.x86_64

description:
:SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from using the 'dac_override' capabilities.
:
:*****  Plugin dac_override (91.4 confidence) suggests  ***********************
:
:If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
:Then turn on full auditing to get path information about the offending file and generate the error again.
:Do
:
:Turn on full auditing
:# auditctl -w /etc/shadow -p w
:Try to recreate AVC. Then execute
:# ausearch -m avc -ts recent
:If you see PATH record check ownership/permissions on file, and fix it, 
:otherwise report as a bugzilla.
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If you believe that npviewer.bin should have the dac_override capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep npviewer.bin /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Objects                 [ capability ]
:Source                        npviewer.bin
:Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           nspluginwrapper-1.4.4-12.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.9-2.fc17.x86_64 #1 SMP Tue Dec
:                              4 13:26:04 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    2012-12-15 21:45:47 EST
:Last Seen                     2012-12-15 21:45:47 EST
:Local ID                      880f9c02-65b2-4821-a9cf-e39fe58304f8
:
:Raw Audit Messages
:type=AVC msg=audit(1355625947.457:83): avc:  denied  { dac_override } for  pid=2316 comm="npviewer.bin" capability=1  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=AVC msg=audit(1355625947.457:83): avc:  denied  { dac_read_search } for  pid=2316 comm="npviewer.bin" capability=2  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1355625947.457:83): arch=i386 syscall=fstat per=8 success=no exit=EACCES a0=f774f32a a1=441 a2=1b6 a3=9bfc208 items=0 ppid=2315 pid=2316 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=npviewer.bin exe=/usr/lib/nspluginwrapper/npviewer.bin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: npviewer.bin,mozilla_plugin_t,mozilla_plugin_t,capability,dac_override
:
:audit2allow
:
:#============= mozilla_plugin_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow mozilla_plugin_t self:capability { dac_read_search dac_override };
:
:audit2allow -R
:
:#============= mozilla_plugin_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow mozilla_plugin_t self:capability { dac_read_search dac_override };
:

Comment 1 skotsezos13 2012-12-15 19:53:54 UTC
Created attachment 664109 [details]
File: type

Comment 2 skotsezos13 2012-12-15 19:53:57 UTC
Created attachment 664110 [details]
File: hashmarkername

Comment 3 Miroslav Grepl 2012-12-17 11:24:49 UTC
You will need to stay with the local policy which you added. 

Are you able to reproduce it?

Turn on full auditing
# auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
# ausearch -m avc -ts recent


Note You need to log in before you can comment on or make changes to this bug.