Bug 152611 - (anaconda) flash plugin does not work on firefox
(anaconda) flash plugin does not work on firefox
Status: CLOSED DUPLICATE of bug 151870
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
Mike McLean
:
: 142739 154929 (view as bug list)
Depends On:
Blocks: FC4Blocker
  Show dependency treegraph
 
Reported: 2005-03-30 14:10 EST by Hamilton Leeper
Modified: 2007-11-30 17:11 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-27 18:14:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
grep /var/log/messages & /var/log/audit/audit.log for "flash" (8.27 KB, text/plain)
2005-04-25 14:26 EDT, Jacob Kroon
no flags Details

  None (edit)
Description Hamilton Leeper 2005-03-30 14:10:28 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050328 Firefox/1.0.2 Fedora/1.0.2-3

Description of problem:
Firefox will auto-install the flash plugin fine, and the .so file shows up fine in in the mozilla plugin folder, but all flash programs still show the little green jigsaw and firefox complains about "missing plugins."

Version-Release number of selected component (if applicable):
firefox-1.0.2-3

How reproducible:
Always

Steps to Reproduce:
1. go to some site with flash in it (ie nvidia.com)
2. install the flash plugin
3. go to the site again - flash will not work
  

Additional info:
Comment 1 Sean Earp 2005-03-31 01:16:19 EST
Hear Hear!

This is one of the first things I do with firefox (head to any site that has a
flash animation, in my case anandtech.com) and happily auto-install flash
(because firefox makes it so easy!).  Unfortunately, Hamilton's descripton of
what happens is spot on.  How can you browse the internet without flash?  You'd
miss all the Orbitz commercials!  ;)

-Sean
Comment 2 Jacob Kroon 2005-04-06 18:12:59 EDT
Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so"

That worked for me, tip noticed while reading fedora-test-list.

/Jacob
Comment 3 Jacob Kroon 2005-04-06 18:25:42 EDT
So is this really a Fedora Core bug? I haven't tried Macromedias offical rpms
for Fedora Core, perhaps they do some SELinux magic in their scripts, but i'm to
inexperienced in the SELinux-thing. Or perhaps installing the .so-file globally
will circumvent the SELinux problem alltogether...
Comment 4 Matt Galvin 2005-04-21 11:18:37 EDT
(In reply to comment #2)
> Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so"
> 
> That worked for me, tip noticed while reading fedora-test-list.

I can confirm this does work :). You may need to reboot your machine for it to
work(I had to). restorecon is in /sbin so I used:

sudo /sbin/restorecon -v ~/.mozilla/plugins/libflashplayer.so
Comment 5 Jacob Kroon 2005-04-21 11:36:43 EDT
(In reply to comment #4)
> (In reply to comment #2)
> > Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so"
> > 
> > That worked for me, tip noticed while reading fedora-test-list.
> 
> I can confirm this does work :). You may need to reboot your machine for it to
> work(I had to). restorecon is in /sbin so I used:
> 
> sudo /sbin/restorecon -v ~/.mozilla/plugins/libflashplayer.so
> 


Actually I don't think you need to run it as root if you're just fixing the lib
in your home dir.
Comment 6 Sean Earp 2005-04-22 01:58:04 EDT
The restorecon tip definitely works, but this is certainly not something that
the average Fedora user will (or should) know how to do.  Is the root cause of
this problem with Fedora, or with the Flash install scripts?  I see that the
restorecon command fixes the security context of specific files.  Does this
relate to existing SELINUX policy?  It would be very nice if this bug was
resolved by the time FC4 ships...
Comment 7 Warren Togami 2005-04-22 19:29:04 EDT
The preferred method for installing the Flash plugin is to use the official RPM
from http://macromedia.mplug.org.  Does this have trouble with selinux too?

But yes I agree this is a problem that should be fixed with selinux policy, not
firefox.  Reassigning.
Comment 8 Daniel Walsh 2005-04-22 21:11:57 EDT
An RPM would pick up the proper context.  If you use the install command you
will get the proper context, if you use cp or mv you will need to execute
restorecon.
The latest updated policy should handle this better also.  U1 for RHEL4.


Dan
Comment 9 Warren Togami 2005-04-22 21:35:30 EDT
No, I'm not talking about the flash RPM.  The bug here is that plugins being
installed by firefox during runtime (as it is designed) are being denied by selinux.
Comment 10 Daniel Walsh 2005-04-24 11:02:39 EDT
What is the file context of the .so file that gets installed?

Comment 11 Jacob Kroon 2005-04-24 11:44:43 EDT
Output of "ls -Z" in ~/.mozilla/plugins/, after an installation of the
Flash-plugin using Firefox's built-in plugin-installer:

-rw-r--r--  jacob    jacob    user_u:object_r:default_t        flashplayer.xpt
-rwxr-xr-x  jacob    jacob    user_u:object_r:default_t        libflashplayer.so
Comment 12 Daniel Walsh 2005-04-25 10:48:11 EDT
That seems like you have a badly labeled file system.  default_t means the files
were created in a directory that was never labeled under the / file system. 
Usually the only files on the system that are /  looks like the home directory
is not labeled properly.

What are the rest of the files in you home directory labeled as?  Should be
user_home_t.
Comment 13 Jacob Kroon 2005-04-25 11:52:43 EDT
I stand in ~/ and run :

find -print0 | xargs -0 ls -Z | egrep -e "user_home_t"

yields no output at all. If I egrep for "default_t" I get lots of output, most
of the files are using that label.

I'm using a fresh install of FC4test2 + rawhide updates. I did a "minimal"
install, and added my user manually with /usr/sbin/adduser.

Dunno what wen't wrong if this is the case...
Comment 14 Daniel Walsh 2005-04-25 12:03:02 EDT
Did you put your user account in a non standard directory?
What is your UID?
Did useradd create your home directory?



restorecon -R -v ~/ 

Should clean this up.


Comment 15 Jacob Kroon 2005-04-25 12:37:01 EDT
(In reply to comment #14)
> Did you put your user account in a non standard directory?

No, it is the normal place (/home/jacob/)

> What is your UID?

[jacob@skeletor ~]$ id
  uid=500(jacob) gid=500(jacob) groups=500(jacob)
  context=user_u:system_r:unconfined_t

> Did useradd create your home directory?

Yes, although I'm not 100% sure if I used useradd or adduser, if that matters.
But I did not manually have to create the /home/jacob/ dir.

> restorecon -R -v ~/ 
> 
> Should clean this up.

Yes, files are now using user_home_t and everythings seems to be ok, including
Flash:

[jacob@skeletor plugins]$ ls -Z
-rw-r--r--  jacob    jacob    user_u:object_r:user_home_t      flashplayer.xpt
-rwxr-xr-x  jacob    jacob    user_u:object_r:texrel_shlib_t   libflashplayer.so
Comment 16 Jacob Kroon 2005-04-25 12:43:30 EDT
But still after fixing the labels in ~/, removing the flash plugin, and
installing it again using Firefox's builtin installer yields wrong labels on the
files:

[jacob@skeletor plugins]$ ls -Z
-rw-r--r--  jacob    jacob    user_u:object_r:user_home_t      flashplayer.xpt
-rwxr-xr-x  jacob    jacob    user_u:object_r:user_home_t      libflashplayer.so

Flash not working, have to do a restorecon again.
Comment 17 Daniel Walsh 2005-04-25 13:26:15 EDT
What AVC Messages are you seeing?

Dan
Comment 18 Jacob Kroon 2005-04-25 13:56:14 EDT
If I have :

-rwxr-xr-x  jacob    jacob    user_u:object_r:user_home_t      libflashplayer.so

I get :

[jacob@skeletor ~]$ LD_LIBRARY_PATH=/usr/lib/firefox-1.0.3
/usr/lib/firefox-1.0.3/firefox-bin
LoadPlugin: failed to initialize shared library
/home/jacob/.mozilla/plugins/libflashplayer.so
[/home/jacob/.mozilla/plugins/libflashplayer.so: cannot restore
segment prot after reloc: Permission denied]

(I've seen this one before, and restorecon fixes it everytime)

[jacob@skeletor ~]$ rpm -qa *selinux*
libselinux-1.23.7-3
selinux-policy-targeted-1.23.12-4

Maybe thats not what you mean by AVC-messages, but I can't find any messages of
the "<program>: avc: denied ..."-type
Comment 19 Daniel Walsh 2005-04-25 14:03:33 EDT
grep -i avc /var/log/messages or /var/log/audit/auditd.log


I think I have a fix for it anyways if you yum update off of

ftp://people.redhat.com/dwalsh/SELinux/Fedora

selinux-policy-targeted-1.23.12-5 has an rule that should allow this, without
the restorecon.

Dan
Comment 20 Jacob Kroon 2005-04-25 14:26:31 EDT
Created attachment 113645 [details]
grep /var/log/messages & /var/log/audit/audit.log for "flash"

Yes, selinux-policy-targeted-1.23.12-5 fixes it for me. I can now install Flash
using the builtin installer, and the website immediately displays the flash, no
restart or any restorecon needed.

Thanks, Jacob
Comment 21 Sean Earp 2005-04-25 23:50:43 EDT
Well, I can confirm Jacob's initial results after installing the Flash Plugin
via Firefox:  (this is on a clean install of FC4T2)

[smearp@localhost ~]$ cd .mozilla/plugins
[smearp@localhost plugins]$ ls -Z
-rw-r--r--  smearp   smearp   user_u:object_r:default_t        flashplayer.xpt
-rwxr-xr-x  smearp   smearp   user_u:object_r:default_t        libflashplayer.so

I went to the ftp directory specified above, and it looks like
selinux-policy-targeted-1.23.12-5 has been superceded by
selinux-policy-targeted-1.23.13-1.  I upgraded, deleted the .mozilla folder, and
then headed over to http://www.anandtech.com, which prompted me to install
flash.  I went through the motions, and afterwards all flash remained broken. 
running an ls -Z on the plugins folder provides the same results as the old
SELINUX policy:

[smearp@localhost ~]$ rm -r .mozilla
[smearp@localhost ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-1.23.13-1
[smearp@localhost ~]$ cd .mozilla/plugins
[smearp@localhost plugins]$ ls -Z
-rw-r--r--  smearp   smearp   user_u:object_r:default_t        flashplayer.xpt
-rwxr-xr-x  smearp   smearp   user_u:object_r:default_t        libflashplayer.so

Do I need to reboot somewhere in here, or was there a regression between 12-5
and 13-1?

-Sean
Comment 22 Jacob Kroon 2005-04-26 01:25:49 EDT
Did you first fix your home dir with "restorecon -R -v ~/" ?

I didn't reboot a single time during my testings.

Why we end up with incorrect labels on our home dir files is still a mystery
though, although this might not be the correct place to discuss it, new bug perhaps.
Comment 23 Sean Earp 2005-04-26 20:03:40 EDT
Thanks Jacob-

restorecon certainly does fix the problem, but this particular bug was marked as
fixed in rawhide with selinux-policy-targeted-1.23.12-5 (which does not resolve
the problem), when in fact it appears to be fixed with the restorecon command. 
I believe that this particular bug is not fixed, and needs to be reopened and
assigned to whatever component the restorecon command is responsible for fixing
(although I would think that selinux-policy would be it)

Long story short, with a fresh FC4t2 install, and
selinux-policy-targeted-1.23.13-1, the problem still exists.  Should I float a
balloon on the Fedora Test list to see if others are having their home dir files
set to the wrong security label?  I can't imagine that we are the only people to
experience the problem, although it really doesn't manifest itself until you try
to do something like load flash via firefox...

-Sean
Comment 24 Jacob Kroon 2005-04-27 02:30:30 EDT
I had preferred if we waited and tested this on a fresh FC4test3 install, since
this probably _has_ been fixed by the updated selinux-packages, you just don't
get the correct file labels on your home dir by upgrading the rpm, you need to
recreate the files. (Note to self, try adding a new user and see what perm.
he/she gets)
Comment 25 Daniel Walsh 2005-04-27 07:58:13 EDT
The question is why is useradd not setting up your accounts correctly?
Are you using useradd or some other command?

If you are createing accounts in /home what is it's context?

ls -ldZ /home

After creating a new acount what is the directories context?

ls -lRZ /home/newaccount

Comment 26 Jacob Kroon 2005-04-27 08:28:26 EDT
#ls -ldZ /home

drwxr-xr-x  root     root     system_u:object_r:default_t      /home

After I restorecon it:

drwxr-xr-x  root     root     system_u:object_r:home_root_t    /home

Then I add another user "enno" using "useradd" :

#ls -lZ /home/
drwxr-xr-x  enno     enno     root:object_r:user_home_dir_t    enno
drwxr-xr-x  jacob    jacob    user_u:object_r:user_home_dir_t  jacob

#ls -laRZ /home/enno
/home/enno:
drwxr-xr-x  enno     enno     root:object_r:user_home_dir_t    .
drwxr-xr-x  root     root     system_u:object_r:home_root_t    ..
-rw-------  enno     enno     user_u:object_r:user_home_t      .bash_history
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .bash_logout
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .bash_profile
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .bashrc
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .gtkrc
-rw-------  enno     enno     user_u:object_r:user_home_t      .xauthClYwpG
Comment 27 Daniel Walsh 2005-04-27 10:12:24 EDT
So the bug is anaconda is creating /home with the wrong context.

Dan
Comment 28 Jeremy Katz 2005-04-27 14:16:53 EDT
This is due to rpm not using matchpathcon() based on the conversation I had with
Dan before lunch
Comment 29 Jeremy Katz 2005-04-27 18:14:33 EDT

*** This bug has been marked as a duplicate of 151870 ***
Comment 30 Warren Togami 2005-05-01 06:31:02 EDT
*** Bug 154929 has been marked as a duplicate of this bug. ***
Comment 31 Roy 2005-05-04 05:43:43 EDT
A similar problem here, except that I got all my plugins in
/usr/Mozilla/Firefox/plugins , which is the location where I installed Firefox
from mozilla.org. The only way I could get Flash to work is by setenforce 0,
which seems rather unsafe to me. Even restorecon doesn't help.
Comment 32 Warren Togami 2005-05-16 05:49:07 EDT
*** Bug 142739 has been marked as a duplicate of this bug. ***
Comment 33 mokkarkay 2006-02-24 09:34:54 EST
I confirm this bug still exist in FC5 test3

Whenever I go to a web site that requires flash plugin, a yellow notification
bar appears and ask me to install. I followed the steps to install and it
reports successfully installed. However when I restart / go to the site again,
it ask me to install flash plugin again, just like it's never installed.

Note You need to log in before you can comment on or make changes to this bug.