SELinux ate my bookmarks in F9

Michael Wiktowy michael.wiktowy at gmail.com
Fri May 23 00:20:55 UTC 2008 

Hello,

I triggered a Wine app to open up a URL link and Firefox opened up and
things went downhill from there. I'm guessing that Wine somehow
corrupted all the contexts of the Firefox bookmark/places/etc. storage
files and now SELinux is preventing any of them from being accessed
... even after opening up Firefox normally.

Here is an example of the error output by setroubleshoot (but they
just keep coming for various Firefox related Target Objects every 10
seconds or so ... on opening Firefox, about 40 are generated
immediately):

Summary:

SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem.

Detailed Description:

SELinux is preventing firefox from creating a file with a context of unlabeled_t
on a filesystem. Usually this happens when you ask the cp command to maintain
the context of a file when copying between file systems, "cp -a" for example.
Not all file contexts should be maintained between the file systems. For
example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t
Target Context                system_u:object_r:fs_t
Target Objects                bookmarks-2008-05-22.json [ filesystem ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.0b5/firefox
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           firefox-3.0-0.60.beta5.fc9
Target RPM Packages
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.3-18.fc9.i686
                              #1 SMP Tue May 13 05:38:53 EDT 2008 i686 athlon
Alert Count                   6
First Seen                    Thu 22 May 2008 08:07:34 PM EDT
Last Seen                     Thu 22 May 2008 08:09:49 PM EDT
Local ID                      d083caff-a8e7-4588-b913-798c14cefdac
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211501389.186:114):
avc:  denied  { associate } for  pid=3676 comm="firefox"
name="bookmarks-2008-05-22.json"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=localhost.localdomain type=SYSCALL msg=audit(1211501389.186:114):
arch=40000003 syscall=5 success=no exit=-13 a0=ae38748 a1=82c1 a2=180
a3=82c1 items=0 ppid=3662 pid=3676 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="firefox" exe="/usr/lib/firefox-3.0b5/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

I suspect a 'touch /.autorelabel; reboot' will fix this but I would
also suspect that it will just happen again as soon as Wine triggers
another URL loading.

I will try to pack some more info into a bugzilla (if there is not
already one) but I figured I would give the SELinux gurus a heads up
since I haven't seen this issue raised yet.

/Mike

More information about the fedora-test-list mailing list