SELinux ate my bookmarks in F9
Daniel J Walsh
dwalsh at redhat.com
Fri May 23 19:05:36 UTC 2008
Michael Wiktowy wrote:
> Hello,
>
> I triggered a Wine app to open up a URL link and Firefox opened up and
> things went downhill from there. I'm guessing that Wine somehow
> corrupted all the contexts of the Firefox bookmark/places/etc. storage
> files and now SELinux is preventing any of them from being accessed
> ... even after opening up Firefox normally.
>
> Here is an example of the error output by setroubleshoot (but they
> just keep coming for various Firefox related Target Objects every 10
> seconds or so ... on opening Firefox, about 40 are generated
> immediately):
>
> Summary:
>
> SELinux is preventing firefox from creating a file with a context of unlabeled_t
> on a filesystem.
>
> Detailed Description:
>
> SELinux is preventing firefox from creating a file with a context of unlabeled_t
> on a filesystem. Usually this happens when you ask the cp command to maintain
> the context of a file when copying between file systems, "cp -a" for example.
> Not all file contexts should be maintained between the file systems. For
> example, a read-only file type like iso9660_t should not be placed on a r/w
> system. "cp -P" might be a better solution, as this will adopt the default file
> context for the destination.
>
> Allowing Access:
>
> Use a command like "cp -P" to preserve all permissions except SELinux context.
>
> Additional Information:
>
> Source Context unconfined_u:object_r:unlabeled_t
> Target Context system_u:object_r:fs_t
> Target Objects bookmarks-2008-05-22.json [ filesystem ]
> Source firefox
> Source Path /usr/lib/firefox-3.0b5/firefox
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages firefox-3.0-0.60.beta5.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-51.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name filesystem_associate
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.25.3-18.fc9.i686
> #1 SMP Tue May 13 05:38:53 EDT 2008 i686 athlon
> Alert Count 6
> First Seen Thu 22 May 2008 08:07:34 PM EDT
> Last Seen Thu 22 May 2008 08:09:49 PM EDT
> Local ID d083caff-a8e7-4588-b913-798c14cefdac
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC msg=audit(1211501389.186:114):
> avc: denied { associate } for pid=3676 comm="firefox"
> name="bookmarks-2008-05-22.json"
> scontext=unconfined_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> host=localhost.localdomain type=SYSCALL msg=audit(1211501389.186:114):
> arch=40000003 syscall=5 success=no exit=-13 a0=ae38748 a1=82c1 a2=180
> a3=82c1 items=0 ppid=3662 pid=3676 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="firefox" exe="/usr/lib/firefox-3.0b5/firefox"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
> I suspect a 'touch /.autorelabel; reboot' will fix this but I would
> also suspect that it will just happen again as soon as Wine triggers
> another URL loading.
>
> I will try to pack some more info into a bugzilla (if there is not
> already one) but I figured I would give the SELinux gurus a heads up
> since I haven't seen this issue raised yet.
>
> /Mike
>
Please open a bugzilla.
More information about the fedora-test-list
mailing list