Bug 979733 - SELinux is preventing /usr/lib64/xulrunner/plugin-container from read, write access on the chr_file ptmx.
SELinux is preventing /usr/lib64/xulrunner/plugin-container from read, write ...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:b195c7e264ee64e34fbc9dfcbb4...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-29 21:36 EDT by Terry A. Hurlbut
Modified: 2013-07-02 07:06 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-02 07:06:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Terry A. Hurlbut 2013-06-29 21:36:46 EDT
Description of problem:
Attempted to download
SELinux is preventing /usr/lib64/xulrunner/plugin-container from read, write access on the chr_file ptmx.

*****  Plugin mozplugger (99.1 confidence) suggests  *************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests  ***************************

If you believe that plugin-container should be allowed read write access on the ptmx chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep QThread /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:ptmx_t:s0
Target Objects                ptmx [ chr_file ]
Source                        QThread
Source Path                   /usr/lib64/xulrunner/plugin-container
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xulrunner-22.0-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.6-200.fc18.x86_64 #1 SMP Thu
                              Jun 13 18:56:55 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-06-29 21:27:56 EDT
Last Seen                     2013-06-29 21:27:56 EDT
Local ID                      3d406b6c-a570-419b-8fe1-ed0108aeacfe

Raw Audit Messages
type=AVC msg=audit(1372555676.98:465): avc:  denied  { read write } for  pid=23631 comm="QThread" name="ptmx" dev="devtmpfs" ino=1124 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1372555676.98:465): arch=x86_64 syscall=open success=no exit=EACCES a0=3957178edd a1=2 a2=0 a3=7fd15d3f4590 items=0 ppid=21072 pid=23631 auid=1000 uid=1000 gid=5000 euid=1000 suid=1000 fsuid=1000 egid=5000 sgid=5000 fsgid=5000 ses=17 tty=(none) comm=QThread exe=/usr/lib64/xulrunner/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: QThread,mozilla_plugin_t,ptmx_t,chr_file,read,write

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t ptmx_t:chr_file { read write };

audit2allow -R
require {
	type mozilla_plugin_t;
}

#============= mozilla_plugin_t ==============
term_use_ptmx(mozilla_plugin_t)


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.6-200.fc18.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-07-01 06:20:54 EDT
What was the plugin trying to do?  Run a terminal within Firefox?
Comment 2 Terry A. Hurlbut 2013-07-01 08:49:02 EDT
The plugin was first trying to open the file and display its contents. The file is a spreadsheet, saved under the MS Excel XML protocol, the most common type these days.

And then it was tying to save a copy of the file.

I happen to know the spreadsheet, because I'm the one who loaded it on its host.
Comment 3 Daniel Walsh 2013-07-02 07:06:10 EDT
Well if you want to allow plugins to write to your homedir, then you need to turn off the protection, as stated in the alert message.

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0

We can only protect plugins that do not need to write to homedir.

Note You need to log in before you can comment on or make changes to this bug.