Bug 187596
Summary: | SELinux policy targeted 2.2.25-2.fc5 break Adobe Reader | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Heiko Adams <bugzilla> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | arequipeno, dwalsh, fedora.jrg01, mesmith.13588907, nsoranzo |
Target Milestone: | --- | Keywords: | Desktop, SELinux |
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.2.36-2.fc5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-09 21:10:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Heiko Adams
2006-04-01 15:21:56 UTC
This can be fixed by running these two commands (beware of Bugzilla word-wrappage): chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/* chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/*.api This is much more secure than running the entire system in permissive mode. Is this the "standard" way this will/is fixed, or will a policy change be made to take care of Acrobat? I'm sorry, but the sun jre is also affected by the policy update and wasn't also working anymore until I was running chcon -t textrel_shlib_t /usr/local/jre1.6.0/lib/i386/client/* chcon -t textrel_shlib_t /usr/local/jre1.6.0/bin/* I'm going to file a seperate bugzilla for the jre problem. This one's just for info Ian are you sure you need all the libs and api files? I am seeing libJP2K.so but acroread still ran with this denial. Dan I may not need *all* of them, but it definitely did not run for me until I did libJP2K.so and libCoolType.so. It ran with pop-up warnings until I did the *.api files in plug_ins; since I needed to do my taxes, which use fill- in forms, I wanted all that functionality. Fixed in 2.2.29-2.fc5 Yes I see the same errors. I'm sorry, but the Adobe Reader Firefox plugin isn't working in 2.2.25-3.fc5 What avc's are you seeing? Dan Sorry, but a fresh installed Adobe Reader 7.0.5 doesn't start on SELinux policy targeted 2.2.29-3.fc5. Error message: /usr/local/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied One more problem: After updating SELinux policy targeted to 2.2.29-3.fc5 AdobeReader exists without any message when trying to open the preferences With selinux-policy-targeted-2.2.29-3.fc5 I see Apr 9 11:23:54 darth kernel: audit(1144571034.819:488): avc: denied { execmod } for pid=3175 comm="acroread" name="libJP2K.so" dev=hdc6 ino=87897 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Apr 9 11:24:54 darth kernel: audit(1144571094.906:489): avc: denied { execmod } for pid=3249 comm="acroread" name="libCoolType.so.5.01" dev=hdc6 ino=87896 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Apr 9 11:25:19 darth kernel: audit(1144571119.772:490): avc: denied { execmod } for pid=3321 comm="acroread" name="libAXSLE.so" dev=hdc6 ino=87892 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Apr 9 11:25:20 darth kernel: audit(1144571120.036:491): avc: denied { execmod } for pid=3321 comm="acroread" name="ADMPlugin.apl" dev=hdc6 ino=88015 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Apr 9 11:27:48 darth kernel: audit(1144571268.073:492): avc: denied { execmod } for pid=3409 comm="acroread" name="libcrypto.so.0.9.6" dev=hdc6 ino=87917 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I changed the context type of these four files in /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib to textrel_shlib_t and my acroread started working. I said "four" files above, but there are 5 AVC messages. It looks like I don't need to change anything for ADMPlugin.apl. Not working in selinux-policy.noarch 0:2.2.29-4 Maybe this helps: When starting AdobeReader with SELinux in enforce mode the gui is english. When starting AdobeReader with SELinux in permissive mode the gui is german. selinux-policy-targeted-2.2.34-3.fc5 still breaks AdobeReader_enu-7.0.5-1 . To get Adobe working you need to ... chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/lib* fixed in selinux-policy-2.2.38-1.FC5. Seems to work with selinux-policy-2.2.36-2.fc5 - I'm still unable to change the language to german but that's not a real problem for me ;-) (In reply to comment #20) > Seems to work with selinux-policy-2.2.36-2.fc5 - I'm still unable to change the > language to german but that's not a real problem for me ;-) Same here for Italian. Adobe Reader (after asking license acceptance in Italian) starts automatically in English. RPM: AdobeReader_ita-7.0.5-1.i386.rpm (latest) /var/log/messages: May 10 15:55:16 ozzy kernel: audit(1147269316.763:8): avc: denied { execmod } for pid=3762 comm="acroread" name="RdLang32.ITA" dev=hda6 ino=522862 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.007:9): avc: denied { execmod } for pid=3762 comm="acroread" name="Spelling.ITA" dev=hda6 ino=522914 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.135:10): avc: denied { execmod } for pid=3762 comm="acroread" name="PPKLite.ITA" dev=hda6 ino=522844 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.251:11): avc: denied { execmod } for pid=3762 comm="acroread" name="Accessibility.ITA" dev=hda6 ino=522651 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.271:12): avc: denied { execmod } for pid=3762 comm="acroread" name="AcroForm.ITA" dev=hda6 ino=522669 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.407:13): avc: denied { execmod } for pid=3762 comm="acroread" name="Annots.ITA" dev=hda6 ino=522676 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.759:14): avc: denied { execmod } for pid=3762 comm="acroread" name="DigSig.ITA" dev=hda6 ino=522681 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.827:15): avc: denied { execmod } for pid=3762 comm="acroread" name="EFS.ITA" dev=hda6 ino=522685 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.847:16): avc: denied { execmod } for pid=3762 comm="acroread" name="EScript.ITA" dev=hda6 ino=522703 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.859:17): avc: denied { execmod } for pid=3762 comm="acroread" name="ewh.ITA" dev=hda6 ino=522923 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.863:18): avc: denied { execmod } for pid=3762 comm="acroread" name="LegalPDF.ITA" dev=hda6 ino=522705 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.863:19): avc: denied { execmod } for pid=3762 comm="acroread" name="MakeAccessible.ITA" dev=hda6 ino=522712 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.867:20): avc: denied { execmod } for pid=3762 comm="acroread" name="PDDom.ITA" dev=hda6 ino=522774 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.975:21): avc: denied { execmod } for pid=3762 comm="acroread" name="SaveAsRTF.ITA" dev=hda6 ino=522887 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.979:22): avc: denied { execmod } for pid=3762 comm="acroread" name="SearchFind.ITA" dev=hda6 ino=522892 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.979:23): avc: denied { execmod } for pid=3762 comm="acroread" name="SendMail.ITA" dev=hda6 ino=522896 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:22 ozzy kernel: audit(1147269322.995:24): avc: denied { execmod } for pid=3762 comm="acroread" name="SOAP.ITA" dev=hda6 ino=522880 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file May 10 15:55:23 ozzy kernel: audit(1147269323.043:25): avc: denied { execmod } for pid=3762 comm="acroread" name="wwwlink.ITA" dev=hda6 ino=522997 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file In practice all files under /usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/ . Please reopen! If you execute chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/* Does it work? Dan (In reply to comment #22) > If you execute > chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/* > > Does it work? Yes, it works fine. I don't know about other languages. Thanks a lot, I hope to see this applied to next update. Nicola The fix for italian/german isn't present in the latest update selinux-policy-2.2.38-1.fc5 . Please... ;) |