Colin Paul Adams wrote:
After upgrading my system from F9 to F10 I ran a yum update.
The following occurred:
Summary:
SELinux is preventing npviewer.bin (nsplugin_t) "search" to ./.fontconfig
(unlabeled_t).
Detailed Description:
SELinux denied access requested by npviewer.bin. It is not expected that this
access is required by npviewer.bin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./.fontconfig,
restorecon -v './.fontconfig'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
3
Target Context system_u:object_r:unlabeled_t:s0
Target Objects ./.fontconfig [ dir ]
Source npviewer.bin
Source Path /usr/lib/nspluginwrapper/npviewer.bin
Port <Unknown>
Host susannah.colina.demon.co.uk
Source RPM Packages nspluginwrapper-1.1.2-4.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name susannah.colina.demon.co.uk
Platform Linux susannah.colina.demon.co.uk
2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18
11:58:53 EST 2008 x86_64 x86_64
Alert Count 37
First Seen Sat 29 Nov 2008 15:33:18 GMT
Last Seen Sat 29 Nov 2008 15:33:28 GMT
Local ID 925c2472-2846-47c2-96f9-bccaadb1aaef
Line Numbers
Raw Audit Messages
node=susannah.colina.demon.co.uk type=AVC msg=audit(1227972808.92:117): avc: denied { search } for pid=3733 comm="npviewer.bin" name=".fontconfig" dev=dm-1 ino=19301092 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
node=susannah.colina.demon.co.uk type=SYSCALL msg=audit(1227972808.92:117): arch=40000003 syscall=5 per=8 success=no exit=-13 a0=87d4d48 a1=0 a2=a5517200 a3=ffffffff items=0 ppid=3588 pid=3733 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
And if I try to raise tyhe bug I get:
ERROR
The requested URL could not be retrieved
You can do a couple of things. First, it's probably not a bad idea to
run these commands as root:
restorecon -vR /home
restorecon -vR /usr
Then try again by opening your browser and going to a page that caused
errors before. If it still doesn't work you can use audit2allow to
create a policy. I set up all my policies in a directory called
/root/selinux. So as root, do this:
mkdir selinux
cd selinux
setenforce 0
# open your web browser and go to a page with the plugin
grep npviewer.bin /var/log/audit/audit.log | audit2allow -a -M npviewer
# review npviewer.te so make sure it looks right.
semodule -i npviewer.pp
setenforce 1
# open your browser to see if the plugin works now
Hope this helps!
--
Thomas
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
