Tuesday, January 27, 2009

SELinux is preventing npviewer.bin .. unconfined_t

I have to say that SELinux on Fedora 10 and media playback via Firefox is just a pain in the ass. At a minimum, SELinux will deny you from listening to audio from YouTube or Vimeo, and at most, will completely lock you out from viewing videos from those sites that use the Flash plugin.

In the setroubleshoot message browser, you'll see messages like this:
SELinux is preventing npviewer.bin (nsplugin_t) "destroy" unconfined_t.
SELinux is preventing npviewer.bin (nsplugin_t) "getattr" unconfined_t.
SELinux is preventing npviewer.bin (nsplugin_t) "read write" unconfined_t.
SELinux is preventing npviewer.bin (nsplugin_t) "unix_read unix_write" unconfined_t.

You can always solve this by disabling SELinux entirely. Of course, that's the easy way out, so I figured I'd be a good system administrator and investigate how to allow the Flash plugin to execute while keeping SELinux running. I consulted the Documentation of the Fedora project to find out what the hell to do in order to allow Flash to work in Firefox:

What To Do
If you have this problem, you need to resolve it by allowing npviewer.bin to do its thing. Thus, you need to relax the SELinux policies for npviewer.bin. This boils down to a few steps:
1) pull out the most recent policy violations in /var/log/messages or /var/log/audit/audit.log
2) create a policy exclusion to allow npviewer.bin to run unimpeded by SELinux
3) compile the policy as a module
4) create a policy package
5) load the policy into the kernel

1 & 2) audit2allow both pulls out the policy violation information from your log file and formats into a Type Enforcement (.te) file. The Type Enforcement file is the basis for policy exclusions.

As my audit log had the SELinux denials listed in it, I ran this command:
[sodo@ogre ~]$ sudo audit2allow -m local -l -i /var/log/audit/audit.log > local.te

The result of that command was the Type Enforcement file. The .te file looks like this:
module local 1.0;
require {
type unconfined_t;
type nsplugin_t;
class sem destroy;
class shm { write unix_read getattr unix_write associate read };
#============= nsplugin_t ==============
allow nsplugin_t unconfined_t:sem destroy;
allow nsplugin_t unconfined_t:shm { write unix_read getattr unix_write associate read };

You can see the last few lines look suspiciously like the entries in the setroubleshoot browser, especially the verbs: write, unix_read, getattr, unix_write, associate, read, etc.

3) Compile the policy
The following command compiles the .te file:
[sodo@ogre ~]$ checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 8) to local.mod

4) Create a policy package
[sodo@ogre ~]$ semodule_package -o local.pp -m local.mod

5) Load the policy into the kernel
[sodo@ogre ~]$ semodule -i local.pp

If you try to load the policy as a non-priveleged (not root) user, you get this error:
[sodo@ogre ~]$ semodule: SELinux policy is not managed or store cannot be accessed.

These steps should insure that your flash plugin shall run unimpeded on your wonderful new Fedora 10 system!


Fedora Core 5 SELinux FAQ
SELinux: allowing AVS denials


Unknown said...

You should upgrade to the latest selinux policy, which would fix your problem.

yum -y upgrade selinux-policy-targeted

Cacasodo said...

Interesting. I guess the powers that be saw that binding the Flash player was a little too restrictive.

Oh well, I usually take the hard road anyway. Thanks Daniel.

emtrescue69 said...

Is this the reason I keep getting the blocking port 9339 on Zynga's Texas hold'em? If so, I upgraded to the latest policy and still get the SELinux is blocking message.

So Should I go through the process as above or take a hammer to this thing, lol.



Cacasodo said...

Could be. Don't throw out the baby with the bath water! :) Check the setroubleshoot browser or the audit log (or /var/log/messages) to confirm.


Feel free to drop me a line or ask me a question.