Bug 1460477 - Downloading Adobe Flash Access Library (libadobecp-301806-0.so) fails due to SELinux
Downloading Adobe Flash Access Library (libadobecp-301806-0.so) fails due to ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-10 20:58 EDT by Robert Scheck
Modified: 2018-04-10 08:33 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-176.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:32:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:33 EDT

  None (edit)
Description Robert Scheck 2017-06-10 20:58:52 EDT
Description of problem:
type=USER_AVC msg=audit(1497141763.144:3265): pid=978 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects dest=:1.54 spid=26245 tpid=1915 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
flash-plugin-11.2.202.644-release.x86_64

How reproducible:
Everytime, see above and below.

Actual results:
Downloading Adobe Flash Access Library (libadobecp-301806-0.so) fails due to
SELinux policy.

Expected results:
allow mozilla_plugin_t devicekit_disk_t:dbus send_msg;

Additional info:
Yes, mentioned version of Adobe Flash is outdated but it's the only one that
provides DRM under Linux as it seems. And yes, that's the only message in the
logs.
Comment 3 Lukas Vrabec 2017-10-12 08:21:00 EDT
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 4 Lukas Vrabec 2017-10-12 08:22:18 EDT
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 5 Robert Scheck 2017-10-12 08:28:35 EDT
(In reply to Lukas Vrabec from comment #4)
> We're going to close this bug as WONTFIX because
> 
>  * of limited capacity of selinux-policy developers
>  * the bug is related to EPEL component or 3rd party SW only
>  * the bug appears in unsupported configuration 
> 
> We believe this bug can be fixed via a local policy module.
> For more information please see: 
> 
>  *
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-
> troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-
> Allowing_Access_audit2allow
> 
> If you disagree, please re-open the bug.

I am sorry, but this is not acceptable at all! RHEL ships the SELinux policy
and covers with it 3rd party software. This is the old discussion, I already
had with Dan Walsh years ago. From my point of view, Red Hat either needs to
fix the SELinux policy when shipping policy modules affecting any 3rd party
software, or ship a reduced set of the SELinux policy to only cover exactly
the software shipped in RHEL. But as of writing, RHEL ships a SELinux policy
covering both, but with the point that you, Red Hat, are now obviously even 
reluctant to fix issues in packages that are shipped with your product, RHEL.
Comment 6 Robert Scheck 2017-10-12 08:32:51 EDT
Cross-filed ticket 01951077 on the Red Hat customer portal.
Comment 12 errata-xmlrpc 2018-04-10 08:32:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.