SELinux alert when running yum update

Thomas Cameron thomas.cameron at camerontech.com
Sat Nov 29 19:03:13 UTC 2008


Colin Paul Adams wrote:
> After upgrading my system from F9 to F10 I ran a yum update.
> 
> The following occurred:
> 
> Summary:
> 
> SELinux is preventing npviewer.bin (nsplugin_t) "search" to ./.fontconfig
> (unlabeled_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by npviewer.bin. It is not expected that this
> access is required by npviewer.bin and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for ./.fontconfig,
> 
> restorecon -v './.fontconfig'
> 
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
>                               3
> Target Context                system_u:object_r:unlabeled_t:s0
> Target Objects                ./.fontconfig [ dir ]
> Source                        npviewer.bin
> Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
> Port                          <Unknown>
> Host                          susannah.colina.demon.co.uk
> Source RPM Packages           nspluginwrapper-1.1.2-4.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.13-18.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     susannah.colina.demon.co.uk
> Platform                      Linux susannah.colina.demon.co.uk
>                               2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18
>                               11:58:53 EST 2008 x86_64 x86_64
> Alert Count                   37
> First Seen                    Sat 29 Nov 2008 15:33:18 GMT
> Last Seen                     Sat 29 Nov 2008 15:33:28 GMT
> Local ID                      925c2472-2846-47c2-96f9-bccaadb1aaef
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=susannah.colina.demon.co.uk type=AVC msg=audit(1227972808.92:117): avc:  denied  { search } for  pid=3733 comm="npviewer.bin" name=".fontconfig" dev=dm-1 ino=19301092 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> 
> node=susannah.colina.demon.co.uk type=SYSCALL msg=audit(1227972808.92:117): arch=40000003 syscall=5 per=8 success=no exit=-13 a0=87d4d48 a1=0 a2=a5517200 a3=ffffffff items=0 ppid=3588 pid=3733 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
> 
> And if I try to raise tyhe bug I get:
> 
> ERROR
> The requested URL could not be retrieved
> 

You can do a couple of things.  First, it's probably not a bad idea to 
run these commands as root:

restorecon -vR /home
restorecon -vR /usr

Then try again by opening your browser and going to a page that caused 
errors before.  If it still doesn't work you can use audit2allow to 
create a policy.  I set up all my policies in a directory called 
/root/selinux.  So as root, do this:

mkdir selinux
cd selinux
setenforce 0
# open your web browser and go to a page with the plugin
grep npviewer.bin /var/log/audit/audit.log | audit2allow -a -M npviewer
# review npviewer.te so make sure it looks right.
semodule -i npviewer.pp
setenforce 1
# open your browser to see if the plugin works now

Hope this helps!
-- 
Thomas




More information about the fedora-list mailing list