Bug 976500

Summary: selinux-policy(-targeted) prevents kpartsplugin (okular) saving pdfs in Firefox
Product: [Fedora] Fedora Reporter: reescf
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-21 12:52:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux detailed report of denial none

Description reescf 2013-06-20 16:59:56 UTC 
Description of problem:

The recent update to selinux-policy causes many more denials. In particular, using Okular with kpartsplugin in Firefox triggers a denial if one tries to save a copy of the PDF. This behaviour is new: previously, this functionality worked fine with the default settings.

The details of the denial show, I think, that it is selinux-policy-targeted which causes the denial. (But I don't know much about selinux yet, I'm afraid.)

Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-169.fc17.noarch
xulrunner-21.0-4.fc17.x86_64

How reproducible:

Happens every time since the update.

Steps to Reproduce:
1. Ensure system is updated and that Firefox, Okular and kpartsplugin are available.
2. Open Firefox.
3. Ensure that Firefox is set to open PDF files with kpartsplugin and that Okular is the default PDF viewer in system settings.
4. In Firefox, find a PDF somewhere.
5. Open the PDF.
6. Save a copy.

Actual results:

The PDF is not downloaded or saved and that an alert is triggered for selinux. (But no permissions error is generated by Okular/Firefox/kpartsplugin.)

Expected results:

Based on previous behaviour, I expected the PDF to be saved. Failing this, I would expect some kind of informative error message from Okular/Firefox/kpartsplugin.

I am not sure whether the change in behaviour is intended or not.

Additional info:

Secondary click on a link to the PDF allows the PDF to be saved in cases where this is permitted by the website concerned. So the issue is not with saving a PDF to e.g. a directory under ~ per se but only doing so via Okular/kpartsplugin.
Comment 1 reescf 2013-06-20 17:07:00 UTC 
Created attachment 763532 [details]
selinux detailed report of denial
Comment 2 Daniel Walsh 2013-06-21 12:52:36 UTC 
setsebool -P unconfined_mozilla_plugin_transition 0

You will need to turn off the protection if you want to allow plugin applications to write to your homedir.
Comment 3 reescf 2013-06-21 16:56:39 UTC 
OK. Thanks. What I did was just follow the instructions in the denial report to adjust the policy. I don't know if that is the same as using setsebool but it seems to work.

I guess the new default policy is just stricter than the old one. Fair enough.