Hear Hear!

This is one of the first things I do with firefox (head to any site that has a
flash animation, in my case anandtech.com) and happily auto-install flash
(because firefox makes it so easy!).  Unfortunately, Hamilton's descripton of
what happens is spot on.  How can you browse the internet without flash?  You'd
miss all the Orbitz commercials!  ;)

-Sean

Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so"

That worked for me, tip noticed while reading fedora-test-list.

/Jacob

So is this really a Fedora Core bug? I haven't tried Macromedias offical rpms
for Fedora Core, perhaps they do some SELinux magic in their scripts, but i'm to
inexperienced in the SELinux-thing. Or perhaps installing the .so-file globally
will circumvent the SELinux problem alltogether...

(In reply to comment #2)
> Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so"
> 
> That worked for me, tip noticed while reading fedora-test-list.

I can confirm this does work :). You may need to reboot your machine for it to
work(I had to). restorecon is in /sbin so I used:

sudo /sbin/restorecon -v ~/.mozilla/plugins/libflashplayer.so

(In reply to comment #4)
> (In reply to comment #2)
> > Try "restorecon -v ~/.mozilla/plugins/libflashplayer.so"
> > 
> > That worked for me, tip noticed while reading fedora-test-list.
> 
> I can confirm this does work :). You may need to reboot your machine for it to
> work(I had to). restorecon is in /sbin so I used:
> 
> sudo /sbin/restorecon -v ~/.mozilla/plugins/libflashplayer.so
> 


Actually I don't think you need to run it as root if you're just fixing the lib
in your home dir.

The restorecon tip definitely works, but this is certainly not something that
the average Fedora user will (or should) know how to do.  Is the root cause of
this problem with Fedora, or with the Flash install scripts?  I see that the
restorecon command fixes the security context of specific files.  Does this
relate to existing SELINUX policy?  It would be very nice if this bug was
resolved by the time FC4 ships...

The preferred method for installing the Flash plugin is to use the official RPM
from http://macromedia.mplug.org.  Does this have trouble with selinux too?

But yes I agree this is a problem that should be fixed with selinux policy, not
firefox.  Reassigning.

An RPM would pick up the proper context.  If you use the install command you
will get the proper context, if you use cp or mv you will need to execute
restorecon.
The latest updated policy should handle this better also.  U1 for RHEL4.


Dan

No, I'm not talking about the flash RPM.  The bug here is that plugins being
installed by firefox during runtime (as it is designed) are being denied by selinux.

What is the file context of the .so file that gets installed?

Output of "ls -Z" in ~/.mozilla/plugins/, after an installation of the
Flash-plugin using Firefox's built-in plugin-installer:

-rw-r--r--  jacob    jacob    user_u:object_r:default_t        flashplayer.xpt
-rwxr-xr-x  jacob    jacob    user_u:object_r:default_t        libflashplayer.so

That seems like you have a badly labeled file system.  default_t means the files
were created in a directory that was never labeled under the / file system. 
Usually the only files on the system that are /  looks like the home directory
is not labeled properly.

What are the rest of the files in you home directory labeled as?  Should be
user_home_t.

I stand in ~/ and run :

find -print0 | xargs -0 ls -Z | egrep -e "user_home_t"

yields no output at all. If I egrep for "default_t" I get lots of output, most
of the files are using that label.

I'm using a fresh install of FC4test2 + rawhide updates. I did a "minimal"
install, and added my user manually with /usr/sbin/adduser.

Dunno what wen't wrong if this is the case...

Did you put your user account in a non standard directory?
What is your UID?
Did useradd create your home directory?



restorecon -R -v ~/ 

Should clean this up.

(In reply to comment #14)
> Did you put your user account in a non standard directory?

No, it is the normal place (/home/jacob/)

> What is your UID?

[jacob@skeletor ~]$ id
  uid=500(jacob) gid=500(jacob) groups=500(jacob)
  context=user_u:system_r:unconfined_t

> Did useradd create your home directory?

Yes, although I'm not 100% sure if I used useradd or adduser, if that matters.
But I did not manually have to create the /home/jacob/ dir.

> restorecon -R -v ~/ 
> 
> Should clean this up.

Yes, files are now using user_home_t and everythings seems to be ok, including
Flash:

[jacob@skeletor plugins]$ ls -Z
-rw-r--r--  jacob    jacob    user_u:object_r:user_home_t      flashplayer.xpt
-rwxr-xr-x  jacob    jacob    user_u:object_r:texrel_shlib_t   libflashplayer.so

But still after fixing the labels in ~/, removing the flash plugin, and
installing it again using Firefox's builtin installer yields wrong labels on the
files:

[jacob@skeletor plugins]$ ls -Z
-rw-r--r--  jacob    jacob    user_u:object_r:user_home_t      flashplayer.xpt
-rwxr-xr-x  jacob    jacob    user_u:object_r:user_home_t      libflashplayer.so

Flash not working, have to do a restorecon again.

What AVC Messages are you seeing?

Dan

If I have :

-rwxr-xr-x  jacob    jacob    user_u:object_r:user_home_t      libflashplayer.so

I get :

[jacob@skeletor ~]$ LD_LIBRARY_PATH=/usr/lib/firefox-1.0.3
/usr/lib/firefox-1.0.3/firefox-bin
LoadPlugin: failed to initialize shared library
/home/jacob/.mozilla/plugins/libflashplayer.so
[/home/jacob/.mozilla/plugins/libflashplayer.so: cannot restore
segment prot after reloc: Permission denied]

(I've seen this one before, and restorecon fixes it everytime)

[jacob@skeletor ~]$ rpm -qa *selinux*
libselinux-1.23.7-3
selinux-policy-targeted-1.23.12-4

Maybe thats not what you mean by AVC-messages, but I can't find any messages of
the "<program>: avc: denied ..."-type

grep -i avc /var/log/messages or /var/log/audit/auditd.log


I think I have a fix for it anyways if you yum update off of

ftp://people.redhat.com/dwalsh/SELinux/Fedora

selinux-policy-targeted-1.23.12-5 has an rule that should allow this, without
the restorecon.

Dan

Created attachment 113645 [details]
grep /var/log/messages & /var/log/audit/audit.log for "flash"

Yes, selinux-policy-targeted-1.23.12-5 fixes it for me. I can now install Flash
using the builtin installer, and the website immediately displays the flash, no
restart or any restorecon needed.

Thanks, Jacob

Well, I can confirm Jacob's initial results after installing the Flash Plugin
via Firefox:  (this is on a clean install of FC4T2)

[smearp@localhost ~]$ cd .mozilla/plugins
[smearp@localhost plugins]$ ls -Z
-rw-r--r--  smearp   smearp   user_u:object_r:default_t        flashplayer.xpt
-rwxr-xr-x  smearp   smearp   user_u:object_r:default_t        libflashplayer.so

I went to the ftp directory specified above, and it looks like
selinux-policy-targeted-1.23.12-5 has been superceded by
selinux-policy-targeted-1.23.13-1.  I upgraded, deleted the .mozilla folder, and
then headed over to http://www.anandtech.com, which prompted me to install
flash.  I went through the motions, and afterwards all flash remained broken. 
running an ls -Z on the plugins folder provides the same results as the old
SELINUX policy:

[smearp@localhost ~]$ rm -r .mozilla
[smearp@localhost ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-1.23.13-1
[smearp@localhost ~]$ cd .mozilla/plugins
[smearp@localhost plugins]$ ls -Z
-rw-r--r--  smearp   smearp   user_u:object_r:default_t        flashplayer.xpt
-rwxr-xr-x  smearp   smearp   user_u:object_r:default_t        libflashplayer.so

Do I need to reboot somewhere in here, or was there a regression between 12-5
and 13-1?

-Sean

Did you first fix your home dir with "restorecon -R -v ~/" ?

I didn't reboot a single time during my testings.

Why we end up with incorrect labels on our home dir files is still a mystery
though, although this might not be the correct place to discuss it, new bug perhaps.

Thanks Jacob-

restorecon certainly does fix the problem, but this particular bug was marked as
fixed in rawhide with selinux-policy-targeted-1.23.12-5 (which does not resolve
the problem), when in fact it appears to be fixed with the restorecon command. 
I believe that this particular bug is not fixed, and needs to be reopened and
assigned to whatever component the restorecon command is responsible for fixing
(although I would think that selinux-policy would be it)

Long story short, with a fresh FC4t2 install, and
selinux-policy-targeted-1.23.13-1, the problem still exists.  Should I float a
balloon on the Fedora Test list to see if others are having their home dir files
set to the wrong security label?  I can't imagine that we are the only people to
experience the problem, although it really doesn't manifest itself until you try
to do something like load flash via firefox...

-Sean

I had preferred if we waited and tested this on a fresh FC4test3 install, since
this probably _has_ been fixed by the updated selinux-packages, you just don't
get the correct file labels on your home dir by upgrading the rpm, you need to
recreate the files. (Note to self, try adding a new user and see what perm.
he/she gets)

The question is why is useradd not setting up your accounts correctly?
Are you using useradd or some other command?

If you are createing accounts in /home what is it's context?

ls -ldZ /home

After creating a new acount what is the directories context?

ls -lRZ /home/newaccount

#ls -ldZ /home

drwxr-xr-x  root     root     system_u:object_r:default_t      /home

After I restorecon it:

drwxr-xr-x  root     root     system_u:object_r:home_root_t    /home

Then I add another user "enno" using "useradd" :

#ls -lZ /home/
drwxr-xr-x  enno     enno     root:object_r:user_home_dir_t    enno
drwxr-xr-x  jacob    jacob    user_u:object_r:user_home_dir_t  jacob

#ls -laRZ /home/enno
/home/enno:
drwxr-xr-x  enno     enno     root:object_r:user_home_dir_t    .
drwxr-xr-x  root     root     system_u:object_r:home_root_t    ..
-rw-------  enno     enno     user_u:object_r:user_home_t      .bash_history
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .bash_logout
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .bash_profile
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .bashrc
-rw-r--r--  enno     enno     user_u:object_r:user_home_t      .gtkrc
-rw-------  enno     enno     user_u:object_r:user_home_t      .xauthClYwpG

So the bug is anaconda is creating /home with the wrong context.

Dan

This is due to rpm not using matchpathcon() based on the conversation I had with
Dan before lunch

*** This bug has been marked as a duplicate of 151870 ***

*** Bug 154929 has been marked as a duplicate of this bug. ***

A similar problem here, except that I got all my plugins in
/usr/Mozilla/Firefox/plugins , which is the location where I installed Firefox
from mozilla.org. The only way I could get Flash to work is by setenforce 0,
which seems rather unsafe to me. Even restorecon doesn't help.

*** Bug 142739 has been marked as a duplicate of this bug. ***

I confirm this bug still exist in FC5 test3

Whenever I go to a web site that requires flash plugin, a yellow notification
bar appears and ask me to install. I followed the steps to install and it
reports successfully installed. However when I restart / go to the site again,
it ask me to install flash plugin again, just like it's never installed.