Bug 861136
| Summary: | selinux prevents acrobat plugin in firefox from saving PDF files | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | phil <fongpwf> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-09-28 08:16:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
phil
2012-09-27 15:44:37 UTC
Either remove the mozplluger package by executing # yum remove mozplugger or turn off enforcement of SELinux over the Firefox plugins. # setsebool -P unconfined_mozilla_plugin_transition 0 mozplugger is not installed. I am using the Adobe plugin. So, yum remove mozplugger, as far as I can tell had no effect. I'm assuming this is NOTABUG because it is intended behavior. In other words, the selinux policy intentionally disables legitimate functionality of a common plugin. No. We add a protection for these plugins. But some plugins want to add a lot of accesses which we don't want to allow them. For example we don't want to allow plugins to manage common home files. # sesearch -A -s mozilla_plugin_t -c file -p create will tell you which files is mozilla_plugin_t able to manage. So you can turn off this plugin protection using either # setsebool -P unconfined_mozilla_plugin_transition 0 or allow mozilla plugins to create random content in the users home directory # setsebool -P mozilla_plugin_enable_homedirs 1 Also you can read more info using # man mozilla_selinux Phil which plugin did you run other then mozplugger that got acroread to run as a plugin within mozilla? Is acroread itself doing this now? Ok a little googleing shows that acroread ships with a 32 bit plugin requiring running with nsplugin, which is probably causing this problem. Phil I would say that setting one of the booleans is the way to go. Either turn off the protection or allow plugins to write any file in your homedir. about:plugins shows File: nswrapper_32_64.nppdf.so So, you are correct. It is the acroread plugin with nswrapper. Changing bools does not work for me. I get: sudo setsebool -P mozilla_plugin_enable_homedirs 1 libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). Could not change policy booleans I get the same error no matter which boolean I try to change. semodule -r audio_entropy audioentropy Looks like you have old cruft on your system. The system was upgraded from Fedora 13. I don't seem to have audio_entropy loaded. And I still get the same error. libsemanage.semanage_direct_remove: Module audio_entropy was not found. libsepol.scope_copy_callback: execmem: Duplicate declaration in module: type/attribute unconfined_execmem_exec_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! I get the same message without audio_entropy not found, if I just do "sudo semodule -r audioentropy" Phil do this # setenforce 0 # rm -rf /etc/selinux/targeted # yum reinstall selinux-policy-targeted # restorecon -R -v /etc/selinux/targeted # setenforce 1 Thanks. After following the instructions in post #9, I can do setsebool now. A note for anyone else who has a similar problem and comes across this... setsebool takes a pretty long time to run. On my core 2 duo e7400, it was at 100% cpu for about 1 minute. |