SELinux ate my bookmarks in F9

Daniel J Walsh dwalsh at redhat.com
Fri May 23 19:05:36 UTC 2008


Michael Wiktowy wrote:
> Hello,
> 
> I triggered a Wine app to open up a URL link and Firefox opened up and
> things went downhill from there. I'm guessing that Wine somehow
> corrupted all the contexts of the Firefox bookmark/places/etc. storage
> files and now SELinux is preventing any of them from being accessed
> ... even after opening up Firefox normally.
> 
> Here is an example of the error output by setroubleshoot (but they
> just keep coming for various Firefox related Target Objects every 10
> seconds or so ... on opening Firefox, about 40 are generated
> immediately):
> 
> Summary:
> 
> SELinux is preventing firefox from creating a file with a context of unlabeled_t
> on a filesystem.
> 
> Detailed Description:
> 
> SELinux is preventing firefox from creating a file with a context of unlabeled_t
> on a filesystem. Usually this happens when you ask the cp command to maintain
> the context of a file when copying between file systems, "cp -a" for example.
> Not all file contexts should be maintained between the file systems. For
> example, a read-only file type like iso9660_t should not be placed on a r/w
> system. "cp -P" might be a better solution, as this will adopt the default file
> context for the destination.
> 
> Allowing Access:
> 
> Use a command like "cp -P" to preserve all permissions except SELinux context.
> 
> Additional Information:
> 
> Source Context                unconfined_u:object_r:unlabeled_t
> Target Context                system_u:object_r:fs_t
> Target Objects                bookmarks-2008-05-22.json [ filesystem ]
> Source                        firefox
> Source Path                   /usr/lib/firefox-3.0b5/firefox
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           firefox-3.0-0.60.beta5.fc9
> Target RPM Packages
> Policy RPM                    selinux-policy-3.3.1-51.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   filesystem_associate
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain 2.6.25.3-18.fc9.i686
>                               #1 SMP Tue May 13 05:38:53 EDT 2008 i686 athlon
> Alert Count                   6
> First Seen                    Thu 22 May 2008 08:07:34 PM EDT
> Last Seen                     Thu 22 May 2008 08:09:49 PM EDT
> Local ID                      d083caff-a8e7-4588-b913-798c14cefdac
> Line Numbers
> 
> Raw Audit Messages
> 
> host=localhost.localdomain type=AVC msg=audit(1211501389.186:114):
> avc:  denied  { associate } for  pid=3676 comm="firefox"
> name="bookmarks-2008-05-22.json"
> scontext=unconfined_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> host=localhost.localdomain type=SYSCALL msg=audit(1211501389.186:114):
> arch=40000003 syscall=5 success=no exit=-13 a0=ae38748 a1=82c1 a2=180
> a3=82c1 items=0 ppid=3662 pid=3676 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="firefox" exe="/usr/lib/firefox-3.0b5/firefox"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> I suspect a 'touch /.autorelabel; reboot' will fix this but I would
> also suspect that it will just happen again as soon as Wine triggers
> another URL loading.
> 
> I will try to pack some more info into a bugzilla (if there is not
> already one) but I figured I would give the SELinux gurus a heads up
> since I haven't seen this issue raised yet.
> 
> /Mike
> 
Please open a bugzilla.




More information about the fedora-test-list mailing list