nspluginwrapper policy issue

Daniel J Walsh dwalsh at redhat.com
Wed Aug 13 17:27:06 UTC 2008 

Rahul Sundaram wrote:
> Hi,
> 
> 
> Summary:
> 
> SELinux is preventing npviewer.bin (nsplugin_t) "getattr" to /dev/dri/card0
> (dri_device_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by npviewer.bin. It is not expected that
> this
> access is required by npviewer.bin and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for /dev/dri/card0,
> 
> restorecon -v '/dev/dri/card0'
> 
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
>                               3
> Target Context                system_u:object_r:dri_device_t:s0
> Target Objects                /dev/dri/card0 [ chr_file ]
> Source                        npviewer.bin
> Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           nspluginwrapper-1.1.0-5.fc10
> Target RPM Packages
> Policy RPM                    selinux-policy-3.5.1-4.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
>                               2.6.27-0.244.rc2.git1.fc10.i686 #1 SMP Fri
> Aug 8
>                               13:26:20 EDT 2008 i686 i686
> Alert Count                   200
> First Seen                    Wed 13 Aug 2008 12:46:15 AM IST
> Last Seen                     Wed 13 Aug 2008 02:22:02 AM IST
> Local ID                      de968e68-bfda-46a2-b7bb-624dd3967d16
> Line Numbers
> 
> Raw Audit Messages
> 
> host=localhost.localdomain type=AVC msg=audit(1218574322.776:773): avc:
>  denied  { getattr } for  pid=12887 comm="npviewer.bin"
> path="/dev/dri/card0" dev=tmpfs ino=9434
> scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file
> 
> host=localhost.localdomain type=SYSCALL msg=audit(1218574322.776:773):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfccaed4 a1=bfccae60
> a2=6c7ff4 a3=32 items=0 ppid=14557 pid=12887 auid=500 uid=500 gid=500
> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin"
> subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
> 
> Rahul
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Do you think it will need to read/write this device?

More information about the fedora-selinux-list mailing list