Fedora 10 Selinux Denies Firefox Ability to Upload Picture

Tue Jan 20 15:19:11 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ole Ersoy wrote:
> I had a look in /var/log/audit as well, but did not see anything that
> looks like a it's related.  I pasted the last few entries at the bottom
> of the email.
> 
> I've been trying to see whether I can create another denial entry, so
> that I know exactly which one is new, but the pictures are uploading
> with selinux enforcing now, so perhaps it was just a coincidence that
> running setenforce 0 worked....
> 
> I'm in the process of learning SELinux and experimenting, but I don't
> think I did anything to change target policy...
> 
> If no one else has the issue, I would say it's a false report - sorry.
> 
> Last set of log entries:
> 
> type=AVC msg=audit(1232406061.676:687): avc:  denied  { search } for 
> pid=2802 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1
> scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:security_t:s0 tclass=dir
> type=SYSCALL msg=audit(1232406061.676:687): arch=40000003 syscall=195
> success=no exit=-13 a0=bfda5b7c a1=bfda5b1c a2=30bff4 a3=bfda5b7c
> items=0 ppid=2801 pid=2802 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="unix_chkpwd" exe="/sbin/unix_chkpwd"
> subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1232406061.677:688): avc:  denied  { search } for 
> pid=2802 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1
> scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:security_t:s0 tclass=dir
> type=SYSCALL msg=audit(1232406061.677:688): arch=40000003 syscall=5
> success=no exit=-13 a0=bfda5b54 a1=8000 a2=0 a3=8000 items=0 ppid=2801
> pid=2802 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd"
> exe="/sbin/unix_chkpwd"
> subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 key=(null)
> type=USER_ACCT msg=audit(1232406061.682:689): user pid=2801 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
> acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
> res=success)'
> type=CRED_ACQ msg=audit(1232406061.687:690): user pid=2801 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
> res=success)'
> type=LOGIN msg=audit(1232406061.687:691): login pid=2801 uid=0 old
> auid=4294967295 new auid=0 old ses=4294967295 new ses=2
> type=USER_START msg=audit(1232406061.689:692): user pid=2801 uid=0
> auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'
> type=CRED_DISP msg=audit(1232406061.750:693): user pid=2801 uid=0 auid=0
> ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
> res=success)'
> type=USER_END msg=audit(1232406061.750:694): user pid=2801 uid=0 auid=0
> ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'

None of these are related.

Very strange.

Are you running with nsplugin_t?  ps -eZ | grep nsplugin

What file system are you using?

What is the exact behaviour that is being blocked?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl1628ACgkQrlYvE4MpobO27ACg0E3MmN5ILPB76eQ7WTSZUZX2
A70AnRrNgAHtCHVFKnIgdHMAsrf/k/eH
=+VhF
-----END PGP SIGNATURE-----