955909 – SELinux is preventing plugin-containe from 'execmod' accesses on the file /opt/google/talkplugin/libnpgoogletalk.so.

Bug 955909 - SELinux is preventing plugin-containe from 'execmod' accesses on the file /opt/google/talkplugin/libnpgoogletalk.so.

Summary: SELinux is preventing plugin-containe from 'execmod' accesses on the file /op...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:94efa97152867c574e5077e635b...
Duplicates (1):	967650 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-24 04:46 UTC by Josh Reynolds
Modified:	2013-08-29 13:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-04-26 07:24:30 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Reynolds 2013-04-24 04:46:41 UTC

Description of problem:
I pulled up Gmail in Firefox and this alert popped up while it was loading.
SELinux is preventing plugin-containe from 'execmod' accesses on the file /opt/google/talkplugin/libnpgoogletalk.so.

*****  Plugin mozplugger (99.1 confidence) suggests  *************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests  ***************************

If you believe that plugin-containe should be allowed execmod access on the libnpgoogletalk.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                /opt/google/talkplugin/libnpgoogletalk.so [ file ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           google-talkplugin-3.17.0.0-1.i386
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.8-202.fc18.i686 #1 SMP Wed Apr
                              17 23:46:26 UTC 2013 i686 i686
Alert Count                   3
First Seen                    2013-04-23 23:30:58 CDT
Last Seen                     2013-04-23 23:31:48 CDT
Local ID                      0166c38d-c9e0-4190-b000-bfcea15b9526

Raw Audit Messages
type=AVC msg=audit(1366777908.11:338): avc:  denied  { execmod } for  pid=4310 comm="plugin-containe" path="/opt/google/talkplugin/libnpgoogletalk.so" dev="sda4" ino=271564 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file


Hash: plugin-containe,mozilla_plugin_t,bin_t,file,execmod

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t bin_t:file execmod;

audit2allow -R
require {
	type bin_t;
	type mozilla_plugin_t;
	class file execmod;
}

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t bin_t:file execmod;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.8-202.fc18.i686
type:           libreport

Comment 1 Josh Reynolds 2013-04-24 04:49:58 UTC

I forgot to add that everything was working fine together until recently, possibly after updates in the last week or two.

Comment 2 Miroslav Grepl 2013-04-24 13:33:02 UTC

Fixed in F19 and back ported to F18.

Comment 3 Miroslav Grepl 2013-04-24 13:34:59 UTC

I apologize. Wrong bug.

Comment 4 Miroslav Grepl 2013-04-24 13:37:23 UTC

# chcon -t textrel_shlib_t /opt/google/talkplugin/libnpgoogletalk.so

will fix for now.

Comment 5 Eric Paris 2013-04-24 15:30:09 UTC

This is a bug in the Google talk plugin on i686 (x86_64 is not affected).  The plugin is being built without basic security compiler flags.  I have reached out to a person on the Google Chrome security team and he has indicated that he opened bugs internally to fix their non-Chrome products.

This is not an SELinux problem.  This is SELinux showing the security weakness of 3rd party software.  We apologize for this inconvenience.  If you are willing to accept the weaker security protections necessary to allow this plugin to run, please follow the instructions in comment #4.

Comment 6 Josh Reynolds 2013-05-17 18:24:13 UTC

Since this is still happening with the next version of this plugin I've reported this to Google in the following post: http://productforums.google.com/d/topic/chat/tMXq0oshZ6w/discussion

Comment 7 Miroslav Grepl 2013-05-28 10:11:22 UTC

*** Bug 967650 has been marked as a duplicate of this bug. ***

Comment 8 qualityservicesrus 2013-08-10 14:12:23 UTC

The code: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp 
Worked and I use the code: # setsebool unconfined_mozilla_plugin_transition 0

As root and all were fine until I restarted the computer and have to do it again.  Is there a more perminant solution to this bug?

Comment 9 qualityservicesrus 2013-08-10 14:29:31 UTC

(In reply to Eric Paris from comment #5)
> This is a bug in the Google talk plugin on i686 (x86_64 is not affected). 
> The plugin is being built without basic security compiler flags.  I have
> reached out to a person on the Google Chrome security team and he has
> indicated that he opened bugs internally to fix their non-Chrome products.
> 
> This is not an SELinux problem.  This is SELinux showing the security
> weakness of 3rd party software.  We apologize for this inconvenience.  If
> you are willing to accept the weaker security protections necessary to allow
> this plugin to run, please follow the instructions in comment #4.

Is that a permanent solution?  Before I open firefox I have to enter a code for gtalk to work.

Comment 10 Miroslav Grepl 2013-08-19 12:00:43 UTC

What does

# matchpathcon /opt/google/talkplugin/libnpgoogletalk.so

Comment 11 qualityservicesrus 2013-08-20 11:54:45 UTC

(In reply to Miroslav Grepl from comment #10)
> What does
> 
> # matchpathcon /opt/google/talkplugin/libnpgoogletalk.so

it didn't solve the problem. Whenever I restart I have to enter a temporary code for gmail to work.  When I enter "match"  it didn't even give me terporary relief from this bug.  I appreciate your time for helping me with this situation.

Comment 12 Daniel Walsh 2013-08-28 17:25:00 UTC

 # setsebool -P unconfined_mozilla_plugin_transition 0

Will make it permanant.

Comment 13 qualityservicesrus 2013-08-29 13:33:17 UTC

(In reply to Daniel Walsh from comment #12)
>  # setsebool -P unconfined_mozilla_plugin_transition 0
> 
> Will make it permanant.

Thanks that worked.

Note You need to log in before you can comment on or make changes to this bug.