Bug 469257
Summary: | selinux policy and mozplugger do not get along | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
Component: | mozplugger | Assignee: | Than Ngo <than> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | caillon, dcantrell, goeran, jmorris, jsaucier, katzj, mcepl, mcepl, mclasen, notting, robatino, stransky, than, vemcontact, wwoods |
Target Milestone: | --- | Keywords: | EasyFix, Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | NEEDSRETESTING | ||
Fixed In Version: | 1.12.1-2.fc11 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-03 14:21:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 446452 |
Description
Daniel Walsh
2008-10-30 20:30:25 UTC
Why is mozplugger being installed by default instead of ensuring that nsplugin confinement is being enforced? There are vulnerabilities in several browser plugins which SELinux could be blocking now. There's yet another acroread vulnerability affecting all platforms. Can we please have the SELinux protections for the browser re-enabled by default? (In reply to comment #2) > There's yet another acroread vulnerability affecting all platforms. > > Can we please have the SELinux protections for the browser re-enabled by > default? +1 but you (or whoever is affected by this vulnerability) should just get rid of acroread ... evince just works better ;-) (except for Forms and some other silly stuff) </rant> Worse problem with this bug is that it is in wrong component. Reassigning. Both nspluginwrapper and mozplugger own %{_libdir}/mozilla/plugins. mozplugger wins by shorter name. Simplest fix would be for mozplugger to not own those directories. I agree here. The only package that should own %{_libdir}/mozilla/plugins is the mozilla-filesystem package. Require that package if you need the directory. Could we get rid of it NOW? It shouldn't be that difficult, resolution is available in comment 6, and we shouldn't draw this nonsense of not having nspluginwrapper for next Fedora. (In reply to comment #6) > I agree here. The only package that should own %{_libdir}/mozilla/plugins is > the mozilla-filesystem package. Require that package if you need the > directory. But then somebody in nspluginwrapper have to explicitly ask for installation of nspluginwrapper, right? Bill? nspluginwrapper is a default package alongside FF in comps. So we are going to turn on nspluginwrapper policy by default? mozplugger-1.10.1-5.fc11 doesn't own %{_libdir}/mozilla/plugins That package is now in Rawhide. Is there a test case to confirm that the original problem is solved, or should we just consider it fixed and close the bug? Do various installs, make sure mozplugger isn't installed by default. Confirmed: after various installs, mozplugger isn't installed by default. I tried a default install, a minimal install, and installing without the @graphical-internet group (which contains nspluginwrapper) and then installing firefox after the fact. Comment #11 is wrong: rpm -qlp mozplugger-1.12.1-1.fc11.x86_64.rpm /etc/mozpluggerrc /usr/bin/mozplugger-controller /usr/bin/mozplugger-helper /usr/bin/mozplugger-linker /usr/lib64/mozilla /usr/lib64/mozilla/plugins /usr/lib64/mozilla/plugins/mozplugger.so /usr/share/doc/mozplugger-1.12.1 /usr/share/doc/mozplugger-1.12.1/COPYING /usr/share/doc/mozplugger-1.12.1/README /usr/share/man/man7/mozplugger.7.gz It still owns /usr/bin/mozilla _and_ /usr/bin/mozilla/plugins It must depend on mozilla-filesystem instead. *** Bug 509280 has been marked as a duplicate of this bug. *** it's fixed in F11 and sadly shows up in F11 update again. It's a regression. I fixed it now and will push mozplugger-1.12.1-2 in F11/F10 update ASAP. mozplugger-1.12.1-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc9 mozplugger-1.12.1-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc10 mozplugger-1.12.1-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc11 (In reply to comment #17) > it's fixed in F11 and sadly shows up in F11 update again. It's a regression. I > fixed it now and will push mozplugger-1.12.1-2 in F11/F10 update ASAP. This has been actually reopened against F12. Could you check it has been fixed in F12? (Sorry, that's what I meant) yes, it's fixed in F12 mozplugger-1.12.1-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. mozplugger-1.12.1-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. mozplugger-1.12.1-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |