After upgrading my system from F9 to F10 I ran a yum update.
The following occurred:
Summary:
SELinux is preventing npviewer.bin (nsplugin_t) "search" to ./.fontconfig (unlabeled_t).
Detailed Description:
SELinux denied access requested by npviewer.bin. It is not expected that this access is required by npviewer.bin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./.fontconfig,
restorecon -v './.fontconfig'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context system_u:object_r:unlabeled_t:s0 Target Objects ./.fontconfig [ dir ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host susannah.colina.demon.co.uk Source RPM Packages nspluginwrapper-1.1.2-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name susannah.colina.demon.co.uk Platform Linux susannah.colina.demon.co.uk 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64 Alert Count 37 First Seen Sat 29 Nov 2008 15:33:18 GMT Last Seen Sat 29 Nov 2008 15:33:28 GMT Local ID 925c2472-2846-47c2-96f9-bccaadb1aaef Line Numbers
Raw Audit Messages
node=susannah.colina.demon.co.uk type=AVC msg=audit(1227972808.92:117): avc: denied { search } for pid=3733 comm="npviewer.bin" name=".fontconfig" dev=dm-1 ino=19301092 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
node=susannah.colina.demon.co.uk type=SYSCALL msg=audit(1227972808.92:117): arch=40000003 syscall=5 per=8 success=no exit=-13 a0=87d4d48 a1=0 a2=a5517200 a3=ffffffff items=0 ppid=3588 pid=3733 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
And if I try to raise tyhe bug I get:
ERROR The requested URL could not be retrieved
Colin Paul Adams wrote:
After upgrading my system from F9 to F10 I ran a yum update.
The following occurred:
Summary:
SELinux is preventing npviewer.bin (nsplugin_t) "search" to ./.fontconfig (unlabeled_t).
Detailed Description:
SELinux denied access requested by npviewer.bin. It is not expected that this access is required by npviewer.bin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./.fontconfig,
restorecon -v './.fontconfig'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context system_u:object_r:unlabeled_t:s0 Target Objects ./.fontconfig [ dir ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host susannah.colina.demon.co.uk Source RPM Packages nspluginwrapper-1.1.2-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name susannah.colina.demon.co.uk Platform Linux susannah.colina.demon.co.uk 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64 Alert Count 37 First Seen Sat 29 Nov 2008 15:33:18 GMT Last Seen Sat 29 Nov 2008 15:33:28 GMT Local ID 925c2472-2846-47c2-96f9-bccaadb1aaef Line Numbers
Raw Audit Messages
node=susannah.colina.demon.co.uk type=AVC msg=audit(1227972808.92:117): avc: denied { search } for pid=3733 comm="npviewer.bin" name=".fontconfig" dev=dm-1 ino=19301092 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
node=susannah.colina.demon.co.uk type=SYSCALL msg=audit(1227972808.92:117): arch=40000003 syscall=5 per=8 success=no exit=-13 a0=87d4d48 a1=0 a2=a5517200 a3=ffffffff items=0 ppid=3588 pid=3733 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
And if I try to raise tyhe bug I get:
ERROR The requested URL could not be retrieved
You can do a couple of things. First, it's probably not a bad idea to run these commands as root:
restorecon -vR /home restorecon -vR /usr
Then try again by opening your browser and going to a page that caused errors before. If it still doesn't work you can use audit2allow to create a policy. I set up all my policies in a directory called /root/selinux. So as root, do this:
mkdir selinux cd selinux setenforce 0 # open your web browser and go to a page with the plugin grep npviewer.bin /var/log/audit/audit.log | audit2allow -a -M npviewer # review npviewer.te so make sure it looks right. semodule -i npviewer.pp setenforce 1 # open your browser to see if the plugin works now
Hope this helps!
"Thomas" == Thomas Cameron thomas.cameron@camerontech.com writes:
You can do a couple of things. First, it's probably not a bad idea to Thomas> run these commands as root:
Thomas> restorecon -vR /home restorecon -vR /usr
OK. I've done that.
Thomas> Then try again by opening your browser and going to a page Thomas> that caused errors before. If it still doesn't work you
I don't know of a page that caused errors before.
Thomas> can use audit2allow to create a policy. I set up all my Thomas> policies in a directory called /root/selinux. So as root, Thomas> do this:
Thomas> mkdir selinux cd selinux setenforce 0 # open your web
I did that too.
Thomas> browser and go to a page with the plugin grep npviewer.bin Thomas> /var/log/audit/audit.log | audit2allow -a -M npviewer # Thomas> review npviewer.te so make sure it looks right.
I don't know what a page with the plugin is.
Thomas> semodule -i npviewer.pp setenforce 1
semodule: Could not read file 'npviewer.pp': No such file or directory
Colin Paul Adams wrote:
"Thomas" == Thomas Cameron thomas.cameron@camerontech.com writes:
You can do a couple of things. First, it's probably not a bad idea to Thomas> run these commands as root:
Thomas> restorecon -vR /home restorecon -vR /usrOK. I've done that.
Thomas> Then try again by opening your browser and going to a page Thomas> that caused errors before. If it still doesn't work youI don't know of a page that caused errors before.
Eh? What were you doing when you got the SELinux denial before? Can you do it again?
Thomas> can use audit2allow to create a policy. I set up all my Thomas> policies in a directory called /root/selinux. So as root, Thomas> do this: Thomas> mkdir selinux cd selinux setenforce 0 # open your webI did that too.
Thomas> browser and go to a page with the plugin grep npviewer.bin Thomas> /var/log/audit/audit.log | audit2allow -a -M npviewer # Thomas> review npviewer.te so make sure it looks right.I don't know what a page with the plugin is.
Probably a flash based page.
Thomas> semodule -i npviewer.pp setenforce 1semodule: Could not read file 'npviewer.pp': No such file or directory
Did you look at the npviewer.te file? Is there anything in it?
TC
"Thomas" == Thomas Cameron thomas.cameron@camerontech.com writes:
Thomas> Then try again by opening your browser and going to a page Thomas> that caused errors before. If it still doesn't work you >> >> I don't know of a page that caused errors before.
Thomas> Eh? What were you doing when you got the SELinux denial Thomas> before? Can you do it again?
I don't know what I was doing at the time. I certainly wasn't having any trouble with FireFox.
Thomas> Did you look at the npviewer.te file? Is there anything Thomas> in it?
There is no such file on my system (according to the locate command).
Colin Paul Adams wrote:
"Thomas" == Thomas Cameron thomas.cameron@camerontech.com writes:
Thomas> Then try again by opening your browser and going to a page Thomas> that caused errors before. If it still doesn't work you >> >> I don't know of a page that caused errors before. Thomas> Eh? What were you doing when you got the SELinux denial Thomas> before? Can you do it again?I don't know what I was doing at the time. I certainly wasn't having any trouble with FireFox.
Thomas> Did you look at the npviewer.te file? Is there anything Thomas> in it?There is no such file on my system (according to the locate command).
OK, I'm reading your initial post - you got an SELinux alert about npviewer.bin, right? See this message:
https://www.redhat.com/archives/fedora-list/2008-November/msg02919.html
npviewer.bin is a Firefox plugin for Adobe Flash. So I talked about how to set a policy to allow npviewer.bin to run. Specifically I said to run this command:
grep npviewer.bin /var/log/audit/audit.log | audit2allow -a -M npviewer
Then I said to check the contents of npviewer.te. See this post:
https://www.redhat.com/archives/fedora-list/2008-November/msg02951.html
Apparently you did not check for that file.
Additionally, what you describe in the subject vs. what you are seeing in audit.log doesn't match. The output from sealert clearly describes a problem with npviewer.bin, the Adobe plugin.
Why don't you go back over your audit.log and find the actual problem you are having and then re-post, I'd be glad to help out if I can.
-
Colin Paul Adams -
thomas cameron