nspluginwrapper policy issue
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 13 17:27:06 UTC 2008
Rahul Sundaram wrote:
> Hi,
>
>
> Summary:
>
> SELinux is preventing npviewer.bin (nsplugin_t) "getattr" to /dev/dri/card0
> (dri_device_t).
>
> Detailed Description:
>
> SELinux denied access requested by npviewer.bin. It is not expected that
> this
> access is required by npviewer.bin and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for /dev/dri/card0,
>
> restorecon -v '/dev/dri/card0'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
> 3
> Target Context system_u:object_r:dri_device_t:s0
> Target Objects /dev/dri/card0 [ chr_file ]
> Source npviewer.bin
> Source Path /usr/lib/nspluginwrapper/npviewer.bin
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages nspluginwrapper-1.1.0-5.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.1-4.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.27-0.244.rc2.git1.fc10.i686 #1 SMP Fri
> Aug 8
> 13:26:20 EDT 2008 i686 i686
> Alert Count 200
> First Seen Wed 13 Aug 2008 12:46:15 AM IST
> Last Seen Wed 13 Aug 2008 02:22:02 AM IST
> Local ID de968e68-bfda-46a2-b7bb-624dd3967d16
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC msg=audit(1218574322.776:773): avc:
> denied { getattr } for pid=12887 comm="npviewer.bin"
> path="/dev/dri/card0" dev=tmpfs ino=9434
> scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file
>
> host=localhost.localdomain type=SYSCALL msg=audit(1218574322.776:773):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfccaed4 a1=bfccae60
> a2=6c7ff4 a3=32 items=0 ppid=14557 pid=12887 auid=500 uid=500 gid=500
> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin"
> subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
>
> Rahul
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Do you think it will need to read/write this device?
More information about the fedora-selinux-list
mailing list