Description of problem: When I ran "mozilla-plugin-config" after updating my plugins I got the error message /usr/bin/mozilla-plugin-config: line 72: /usr/lib64/nspluginwrapper/plugin-config: Permission denied It seems to be SELinux related somehow; if I do "setenforce Permissive" it goes away. But an "ausearch -m avc" does not report any AVC:s. Not even after I do "semanage dontaudit on"! I don't understand what is going on. Version-Release number of selected component (if applicable): nspluginwrapper-1.4.4-17.fc19.x86_64 nspluginwrapper-1.4.4-17.fc19.i686 selinux-policy-targeted-3.12.1-47.fc19.noarch selinux-policy-3.12.1-47.fc19.noarch kernel-3.9.4-300.fc19.x86_64 How reproducible: Every time Steps to Reproduce: 1. sudo mozilla-plugin-config -i Actual results: Error message as above. Expected results: No error message. (And a couple of links set up for firefox plugins.) Additional info: A detail I've noted and find confusing is that the policy package includes a policy of version 29, but the kernel seems to expect a policy of version 28. 23:08 freddi$ ls /etc/selinux/targeted/policy policy.29 23:08 freddi$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 I'm not sure it is related, but I thought I'd mention it just in case.
Did it work in permissive mode? Is auditd running?
Yes, in permissive mode it works. Yes, auditd is running. If I provoke other AVC:s, they show up in the log as usual.
Turn off the dontaudit rules. semodule -DB Execute the command again.
I mentioned I did turn off the dontaudit rules with "semanage dontaudit on/off" already, and I didn't get any AVC:s. As I understand it, that has the same effect as "semodule -DB". But just to be on the safe side, I did it using semodule too, and still don't get anything. # semodule -DB # date Sat Jun 8 23:26:01 CEST 2013 # mozilla-plugin-config -i /usr/bin/mozilla-plugin-config: line 72: /usr/lib64/nspluginwrapper/plugin-config: Permission denied # ausearch -m avc -ts 23:26 <no matches> If I switch to permissive mode the command works. Now I also do get a lot of AVC:s. Presumably things normally don't-audited. I assume these don't really matter, but just in case I include those too. # setenforce Permissive # date Sat Jun 8 23:28:01 CEST 2013 # mozilla-plugin-config -i # ausearch -m avc -ts 23:28 ---- time->Sat Jun 8 23:28:03 2013 type=SYSCALL msg=audit(1370726883.852:9775): arch=c000003e syscall=59 per=8 success=yes exit=0 a0=7fffa901503c a1=7fffa9013080 a2=7fffa90130a8 a3=7fffa9012d30 items=0 ppid=7817 pid=7818 auid=1003 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 ses=609 tty=pts4 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1370726883.852:9775): avc: denied { noatsecure } for pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1370726883.852:9775): avc: denied { siginh } for pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1370726883.852:9775): avc: denied { rlimitinh } for pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1370726883.852:9775): avc: denied { read write } for pid=7818 comm="npviewer.bin" path="/dev/pts/4" dev="devpts" ino=7 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
(Maybe "a lot of" was an exaggeration. But at least "some".) :-)
Execute # grep user_devpts_t /var/log/audit/audit.log |audit2allow -M mypol # semodule -i mypol.pp # setenforce 1 and re-test.
Tried it, but it didn't make any difference. For your reference, the (non-header) part of the generated module looks like this #!!!! This avc has a dontaudit rule in the current policy allow mozilla_plugin_t user_devpts_t:chr_file { read write append };
Ok, I see the bug. commit 976684d2fe8da2b62e4622cd313559ddcc04ced9 Author: Miroslav Grepl <mgrepl> Date: Wed Jun 12 11:18:47 2013 +0200 mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t
Good you figured it out. Did you also understand why I didn't get any AVC:s?
Basically there was a problem with a role which was not able to access the mozilla_plugin_config_t type. You won't see AVC msgs but libsepol.sepol_context_to_sid: could not convert staff_u:staff_r:mozilla_plugin_config_t:s0-s0:c0.c1023 to sid error message.
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Right, I see the error messages now. Thanks for the explanation!
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.