Red Hat Bugzilla – Bug 152611
(anaconda) flash plugin does not work on firefox
Last modified: 2007-11-30 17:11:02 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050328 Firefox/1.0.2 Fedora/1.0.2-3 Description of problem: Firefox will auto-install the flash plugin fine, and the .so file shows up fine in in the mozilla plugin folder, but all flash programs still show the little green jigsaw and firefox complains about "missing plugins." Version-Release number of selected component (if applicable): firefox-1.0.2-3 How reproducible: Always Steps to Reproduce: 1. go to some site with flash in it (ie nvidia.com) 2. install the flash plugin 3. go to the site again - flash will not work Additional info:
Hear Hear! This is one of the first things I do with firefox (head to any site that has a flash animation, in my case anandtech.com) and happily auto-install flash (because firefox makes it so easy!). Unfortunately, Hamilton's descripton of what happens is spot on. How can you browse the internet without flash? You'd miss all the Orbitz commercials! ;) -Sean
Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so" That worked for me, tip noticed while reading fedora-test-list. /Jacob
So is this really a Fedora Core bug? I haven't tried Macromedias offical rpms for Fedora Core, perhaps they do some SELinux magic in their scripts, but i'm to inexperienced in the SELinux-thing. Or perhaps installing the .so-file globally will circumvent the SELinux problem alltogether...
(In reply to comment #2) > Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so" > > That worked for me, tip noticed while reading fedora-test-list. I can confirm this does work :). You may need to reboot your machine for it to work(I had to). restorecon is in /sbin so I used: sudo /sbin/restorecon -v ~/.mozilla/plugins/libflashplayer.so
(In reply to comment #4) > (In reply to comment #2) > > Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so" > > > > That worked for me, tip noticed while reading fedora-test-list. > > I can confirm this does work :). You may need to reboot your machine for it to > work(I had to). restorecon is in /sbin so I used: > > sudo /sbin/restorecon -v ~/.mozilla/plugins/libflashplayer.so > Actually I don't think you need to run it as root if you're just fixing the lib in your home dir.
The restorecon tip definitely works, but this is certainly not something that the average Fedora user will (or should) know how to do. Is the root cause of this problem with Fedora, or with the Flash install scripts? I see that the restorecon command fixes the security context of specific files. Does this relate to existing SELINUX policy? It would be very nice if this bug was resolved by the time FC4 ships...
The preferred method for installing the Flash plugin is to use the official RPM from http://macromedia.mplug.org. Does this have trouble with selinux too? But yes I agree this is a problem that should be fixed with selinux policy, not firefox. Reassigning.
An RPM would pick up the proper context. If you use the install command you will get the proper context, if you use cp or mv you will need to execute restorecon. The latest updated policy should handle this better also. U1 for RHEL4. Dan
No, I'm not talking about the flash RPM. The bug here is that plugins being installed by firefox during runtime (as it is designed) are being denied by selinux.
What is the file context of the .so file that gets installed?
Output of "ls -Z" in ~/.mozilla/plugins/, after an installation of the Flash-plugin using Firefox's built-in plugin-installer: -rw-r--r-- jacob jacob user_u:object_r:default_t flashplayer.xpt -rwxr-xr-x jacob jacob user_u:object_r:default_t libflashplayer.so
That seems like you have a badly labeled file system. default_t means the files were created in a directory that was never labeled under the / file system. Usually the only files on the system that are / looks like the home directory is not labeled properly. What are the rest of the files in you home directory labeled as? Should be user_home_t.
I stand in ~/ and run : find -print0 | xargs -0 ls -Z | egrep -e "user_home_t" yields no output at all. If I egrep for "default_t" I get lots of output, most of the files are using that label. I'm using a fresh install of FC4test2 + rawhide updates. I did a "minimal" install, and added my user manually with /usr/sbin/adduser. Dunno what wen't wrong if this is the case...
Did you put your user account in a non standard directory? What is your UID? Did useradd create your home directory? restorecon -R -v ~/ Should clean this up.
(In reply to comment #14) > Did you put your user account in a non standard directory? No, it is the normal place (/home/jacob/) > What is your UID? [jacob@skeletor ~]$ id uid=500(jacob) gid=500(jacob) groups=500(jacob) context=user_u:system_r:unconfined_t > Did useradd create your home directory? Yes, although I'm not 100% sure if I used useradd or adduser, if that matters. But I did not manually have to create the /home/jacob/ dir. > restorecon -R -v ~/ > > Should clean this up. Yes, files are now using user_home_t and everythings seems to be ok, including Flash: [jacob@skeletor plugins]$ ls -Z -rw-r--r-- jacob jacob user_u:object_r:user_home_t flashplayer.xpt -rwxr-xr-x jacob jacob user_u:object_r:texrel_shlib_t libflashplayer.so
But still after fixing the labels in ~/, removing the flash plugin, and installing it again using Firefox's builtin installer yields wrong labels on the files: [jacob@skeletor plugins]$ ls -Z -rw-r--r-- jacob jacob user_u:object_r:user_home_t flashplayer.xpt -rwxr-xr-x jacob jacob user_u:object_r:user_home_t libflashplayer.so Flash not working, have to do a restorecon again.
What AVC Messages are you seeing? Dan
If I have : -rwxr-xr-x jacob jacob user_u:object_r:user_home_t libflashplayer.so I get : [jacob@skeletor ~]$ LD_LIBRARY_PATH=/usr/lib/firefox-1.0.3 /usr/lib/firefox-1.0.3/firefox-bin LoadPlugin: failed to initialize shared library /home/jacob/.mozilla/plugins/libflashplayer.so [/home/jacob/.mozilla/plugins/libflashplayer.so: cannot restore segment prot after reloc: Permission denied] (I've seen this one before, and restorecon fixes it everytime) [jacob@skeletor ~]$ rpm -qa *selinux* libselinux-1.23.7-3 selinux-policy-targeted-1.23.12-4 Maybe thats not what you mean by AVC-messages, but I can't find any messages of the "<program>: avc: denied ..."-type
grep -i avc /var/log/messages or /var/log/audit/auditd.log I think I have a fix for it anyways if you yum update off of ftp://people.redhat.com/dwalsh/SELinux/Fedora selinux-policy-targeted-1.23.12-5 has an rule that should allow this, without the restorecon. Dan
Created attachment 113645 [details] grep /var/log/messages & /var/log/audit/audit.log for "flash" Yes, selinux-policy-targeted-1.23.12-5 fixes it for me. I can now install Flash using the builtin installer, and the website immediately displays the flash, no restart or any restorecon needed. Thanks, Jacob
Well, I can confirm Jacob's initial results after installing the Flash Plugin via Firefox: (this is on a clean install of FC4T2) [smearp@localhost ~]$ cd .mozilla/plugins [smearp@localhost plugins]$ ls -Z -rw-r--r-- smearp smearp user_u:object_r:default_t flashplayer.xpt -rwxr-xr-x smearp smearp user_u:object_r:default_t libflashplayer.so I went to the ftp directory specified above, and it looks like selinux-policy-targeted-1.23.12-5 has been superceded by selinux-policy-targeted-1.23.13-1. I upgraded, deleted the .mozilla folder, and then headed over to http://www.anandtech.com, which prompted me to install flash. I went through the motions, and afterwards all flash remained broken. running an ls -Z on the plugins folder provides the same results as the old SELINUX policy: [smearp@localhost ~]$ rm -r .mozilla [smearp@localhost ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-1.23.13-1 [smearp@localhost ~]$ cd .mozilla/plugins [smearp@localhost plugins]$ ls -Z -rw-r--r-- smearp smearp user_u:object_r:default_t flashplayer.xpt -rwxr-xr-x smearp smearp user_u:object_r:default_t libflashplayer.so Do I need to reboot somewhere in here, or was there a regression between 12-5 and 13-1? -Sean
Did you first fix your home dir with "restorecon -R -v ~/" ? I didn't reboot a single time during my testings. Why we end up with incorrect labels on our home dir files is still a mystery though, although this might not be the correct place to discuss it, new bug perhaps.
Thanks Jacob- restorecon certainly does fix the problem, but this particular bug was marked as fixed in rawhide with selinux-policy-targeted-1.23.12-5 (which does not resolve the problem), when in fact it appears to be fixed with the restorecon command. I believe that this particular bug is not fixed, and needs to be reopened and assigned to whatever component the restorecon command is responsible for fixing (although I would think that selinux-policy would be it) Long story short, with a fresh FC4t2 install, and selinux-policy-targeted-1.23.13-1, the problem still exists. Should I float a balloon on the Fedora Test list to see if others are having their home dir files set to the wrong security label? I can't imagine that we are the only people to experience the problem, although it really doesn't manifest itself until you try to do something like load flash via firefox... -Sean
I had preferred if we waited and tested this on a fresh FC4test3 install, since this probably _has_ been fixed by the updated selinux-packages, you just don't get the correct file labels on your home dir by upgrading the rpm, you need to recreate the files. (Note to self, try adding a new user and see what perm. he/she gets)
The question is why is useradd not setting up your accounts correctly? Are you using useradd or some other command? If you are createing accounts in /home what is it's context? ls -ldZ /home After creating a new acount what is the directories context? ls -lRZ /home/newaccount
#ls -ldZ /home drwxr-xr-x root root system_u:object_r:default_t /home After I restorecon it: drwxr-xr-x root root system_u:object_r:home_root_t /home Then I add another user "enno" using "useradd" : #ls -lZ /home/ drwxr-xr-x enno enno root:object_r:user_home_dir_t enno drwxr-xr-x jacob jacob user_u:object_r:user_home_dir_t jacob #ls -laRZ /home/enno /home/enno: drwxr-xr-x enno enno root:object_r:user_home_dir_t . drwxr-xr-x root root system_u:object_r:home_root_t .. -rw------- enno enno user_u:object_r:user_home_t .bash_history -rw-r--r-- enno enno user_u:object_r:user_home_t .bash_logout -rw-r--r-- enno enno user_u:object_r:user_home_t .bash_profile -rw-r--r-- enno enno user_u:object_r:user_home_t .bashrc -rw-r--r-- enno enno user_u:object_r:user_home_t .gtkrc -rw------- enno enno user_u:object_r:user_home_t .xauthClYwpG
So the bug is anaconda is creating /home with the wrong context. Dan
This is due to rpm not using matchpathcon() based on the conversation I had with Dan before lunch
*** This bug has been marked as a duplicate of 151870 ***
*** Bug 154929 has been marked as a duplicate of this bug. ***
A similar problem here, except that I got all my plugins in /usr/Mozilla/Firefox/plugins , which is the location where I installed Firefox from mozilla.org. The only way I could get Flash to work is by setenforce 0, which seems rather unsafe to me. Even restorecon doesn't help.
*** Bug 142739 has been marked as a duplicate of this bug. ***
I confirm this bug still exist in FC5 test3 Whenever I go to a web site that requires flash plugin, a yellow notification bar appears and ask me to install. I followed the steps to install and it reports successfully installed. However when I restart / go to the site again, it ask me to install flash plugin again, just like it's never installed.