Fedora 17, SELinux & GoogleTalkPlugin
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 18 15:05:47 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/16/2012 05:14 AM, Stevo Slavić wrote:
> Hello Fedora community,
>
> I've just upgraded Fedora 16 to 17 using PreUpgrade. After second restart I
> was welcomed by SELinux alert (see [1] for alert details). This bug,
> https://bugzilla.redhat.com/show_bug.cgi?id=704591 , seems related but it's
> labelled as fixed in older version of selinux-policy. Maybe regression
> issue? Should I reopen bug or report another one? Is it a bug at all - I'm
> not sure whether "GoogleTalkPlugin should be allowed getattr access on the
> gpmctl sock_file by default".
>
> Kind regards, Stevo.
>
>
>
> [1] SELinux alert details
>
> SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from getattr
> access on the sock_file /dev/gpmctl.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that GoogleTalkPlugin should be allowed getattr access on
> the gpmctl sock_file by default. Then you should report this as a bug. You
> can generate a local policy module to allow this access. Do allow this
> access for now by executing: # grep GoogleTalkPlugi
> /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
>
> Additional Information: Source Context
> unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context
> system_u:object_r:gpmctl_t:s0 Target Objects /dev/gpmctl [
> sock_file ] Source GoogleTalkPlugi Source Path
> /opt/google/talkplugin/GoogleTalkPlugin Port
> <Unknown> Host sslavic Source RPM Packages
> google-talkplugin-2.9.10.0-1.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True
> Policy Type targeted Enforcing Mode
> Enforcing Host Name sslavic Platform
> Linux sslavic 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64
> x86_64 Alert Count 4 First Seen Sat 16
> Jun 2012 10:36:53 AM CEST Last Seen Sat 16 Jun 2012
> 10:36:54 AM CEST Local ID
> c1545ce3-f86b-4e20-b078-8db9db556a52
>
> Raw Audit Messages type=AVC msg=audit(1339835814.939:165): avc: denied {
> getattr } for pid=8507 comm="GoogleTalkPlugi" path="/dev/gpmctl"
> dev="devtmpfs" ino=15878
> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file
>
>
> type=SYSCALL msg=audit(1339835814.939:165): arch=x86_64 syscall=stat
> success=no exit=EACCES a0=23fc998 a1=23fd580 a2=23fd580 a3=24 items=0
> ppid=1 pid=8507 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
> egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=GoogleTalkPlugi
> exe=/opt/google/talkplugin/GoogleTalkPlugin
> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
>
> Hash: GoogleTalkPlugi,mozilla_plugin_t,gpmctl_t,sock_file,getattr
>
> audit2allowunable to open /sys/fs/selinux/policy: Permission denied
>
>
> audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
>
>
>
>
>
This should be dontaudited and can be safely ignored, Basically the plugin is
doing an ls -l /dev, and this is generating the AVC. GoolgeTalkPlugin has no
need to interact with gpmctl.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/fQ8sACgkQrlYvE4MpobO5GgCfcjzn78bg+tHbnHshwKfhZdBY
QXwAnimDhHl8Z9tqvKmWqWNkVsdX8Sos
=nbsl
-----END PGP SIGNATURE-----
More information about the users
mailing list