Bug 970781 - mozilla-plugin-config fails to execute plugin-config
mozilla-plugin-config fails to execute plugin-config
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-04 17:09 EDT by Göran Uddeborg
Modified: 2013-06-14 23:07 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-52.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-14 23:07:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Göran Uddeborg 2013-06-04 17:09:59 EDT
Description of problem:
When I ran "mozilla-plugin-config" after updating my plugins I got the error message

/usr/bin/mozilla-plugin-config: line 72: /usr/lib64/nspluginwrapper/plugin-config: Permission denied

It seems to be SELinux related somehow; if I do "setenforce Permissive" it goes away.  But an "ausearch -m avc" does not report any AVC:s.  Not even after I do "semanage dontaudit on"!  I don't understand what is going on.

Version-Release number of selected component (if applicable):
nspluginwrapper-1.4.4-17.fc19.x86_64
nspluginwrapper-1.4.4-17.fc19.i686
selinux-policy-targeted-3.12.1-47.fc19.noarch
selinux-policy-3.12.1-47.fc19.noarch
kernel-3.9.4-300.fc19.x86_64


How reproducible:
Every time

Steps to Reproduce:
1. sudo mozilla-plugin-config -i

Actual results:
Error message as above.

Expected results:
No error message.  (And a couple of links set up for firefox plugins.)

Additional info:
A detail I've noted and find confusing is that the policy package includes a policy of version 29, but the kernel seems to expect a policy of version 28.

23:08 freddi$ ls /etc/selinux/targeted/policy
policy.29
23:08 freddi$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

I'm not sure it is related, but I thought I'd mention it just in case.
Comment 1 Miroslav Grepl 2013-06-07 04:52:45 EDT
Did it work in permissive mode? Is auditd running?
Comment 2 Göran Uddeborg 2013-06-07 17:04:07 EDT
Yes, in permissive mode it works.

Yes, auditd is running.  If I provoke other AVC:s, they show up in the log as usual.
Comment 3 Daniel Walsh 2013-06-08 06:03:54 EDT
Turn off the dontaudit rules.

semodule -DB

Execute the command again.
Comment 4 Göran Uddeborg 2013-06-08 17:34:30 EDT
I mentioned I did turn off the dontaudit rules with "semanage dontaudit on/off" already, and I didn't get any AVC:s.  As I understand it, that has the same effect as "semodule -DB".  But just to be on the safe side, I did it using semodule too, and still don't get anything.

# semodule -DB
# date
Sat Jun  8 23:26:01 CEST 2013
# mozilla-plugin-config -i
/usr/bin/mozilla-plugin-config: line 72: /usr/lib64/nspluginwrapper/plugin-config: Permission denied
# ausearch -m avc -ts 23:26
<no matches>

If I switch to permissive mode the command works.  Now I also do get a lot of AVC:s.  Presumably things normally don't-audited.  I assume these don't really matter, but just in case I include those too.

# setenforce Permissive
# date
Sat Jun  8 23:28:01 CEST 2013
# mozilla-plugin-config -i
# ausearch -m avc -ts 23:28
----
time->Sat Jun  8 23:28:03 2013
type=SYSCALL msg=audit(1370726883.852:9775): arch=c000003e syscall=59 per=8 success=yes exit=0 a0=7fffa901503c a1=7fffa9013080 a2=7fffa90130a8 a3=7fffa9012d30 items=0 ppid=7817 pid=7818 auid=1003 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 ses=609 tty=pts4 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { noatsecure } for  pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { siginh } for  pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { rlimitinh } for  pid=7818 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:mozilla_plugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1370726883.852:9775): avc:  denied  { read write } for  pid=7818 comm="npviewer.bin" path="/dev/pts/4" dev="devpts" ino=7 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
Comment 5 Göran Uddeborg 2013-06-08 17:36:12 EDT
(Maybe "a lot of" was an exaggeration.  But at least "some".) :-)
Comment 6 Miroslav Grepl 2013-06-11 10:30:59 EDT
Execute

# grep user_devpts_t /var/log/audit/audit.log |audit2allow -M mypol
# semodule -i mypol.pp
# setenforce 1

and re-test.
Comment 7 Göran Uddeborg 2013-06-11 14:40:15 EDT
Tried it, but it didn't make any difference.

For your reference, the (non-header) part of the generated module looks like this

#!!!! This avc has a dontaudit rule in the current policy
allow mozilla_plugin_t user_devpts_t:chr_file { read write append };
Comment 8 Miroslav Grepl 2013-06-12 05:49:55 EDT
Ok, I see the bug.

commit 976684d2fe8da2b62e4622cd313559ddcc04ced9
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jun 12 11:18:47 2013 +0200

    mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t
Comment 9 Göran Uddeborg 2013-06-13 16:35:23 EDT
Good you figured it out.  Did you also understand why I didn't get any AVC:s?
Comment 10 Miroslav Grepl 2013-06-14 01:52:18 EDT
Basically there was a problem with a role which was not able to access the mozilla_plugin_config_t type. You won't see AVC msgs but 

libsepol.sepol_context_to_sid: could not convert staff_u:staff_r:mozilla_plugin_config_t:s0-s0:c0.c1023 to sid

error message.
Comment 11 Fedora Update System 2013-06-14 03:24:29 EDT
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Comment 12 Göran Uddeborg 2013-06-14 14:36:44 EDT
Right, I see the error messages now.  Thanks for the explanation!
Comment 13 Fedora Update System 2013-06-14 23:07:21 EDT
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.