160106 – selinux-policy-targeted 1.17.30-3.2 breaks Adobe AcroRead 7.0.0-2

Bug 160106 - selinux-policy-targeted 1.17.30-3.2 breaks Adobe AcroRead 7.0.0-2

Summary: selinux-policy-targeted 1.17.30-3.2 breaks Adobe AcroRead 7.0.0-2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	3
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-06-10 19:17 UTC by Chris Colohan
Modified:	2007-11-30 22:11 UTC (History)
CC List:	7 users (show)
Fixed In Version:	1.17.30-3.9
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-09-05 08:36:27 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Chris Colohan 2005-06-10 19:17:45 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
This morning I ran "yum update", and picked up selinux-policy-targeted-1.17.30-3.2.noarch.rpm.

After I rebooted, the "acroread" command no longer worked.  Downloading and regressing to selinux-policy-targeted-1.17.30-2.96.noarch.rpm fixed the problem.

This is running the acroread from AdobeReader_enu-7.0.0-2 distributed by Adobe.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.2

How reproducible:
Always

Steps to Reproduce:
1. Install Adobe Acroread, from the AdobeReader_enu-7.0.0-2 rpm distributed by Adobe.
2. Run "acroread".  Notice that it works fine.
3. Update your system to selinux-policy-targeted-1.17.30-3.2.noarch.rpm.  Reboot.
4. Run "acroread".  Notice that it fails, with a return code of "1".
  

Actual Results:  Acroread no longer works.

Expected Results:  It should have worked.

Additional info:

Comment 1 Stefan Hoelldampf 2005-06-11 10:46:57 UTC

Log:

audit(1118486533.159:0): avc:  denied  { execmod } for  pid=3809 comm=acroread
path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api
dev=dm-0 ino=1552467 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1118486533.195:0): avc:  denied  { execmod } for  pid=3809 comm=acroread
path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl
dev=dm-0 ino=1402985 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file

Comment 2 Sebastian Lempert 2005-06-13 19:18:17 UTC

My system behaves exactly the same as the one from Chris Colohan (see first
comment). When lookink in my system-log I found the following entry:

audit(1118685112.159:0): avc:  denied  { execmod } for  pid=2506 comm=acroread
path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so dev=dm-0
ino=203105 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t
tclass=file


But there are other entries concerning the real player on my system. It seems
that selinux-policy-targeted 1.17.30-3.2 breaks the real player too:

audit(1118685711.911:0): avc:  denied  { execmod } for  pid=2776
comm=realplay.bin path=/usr/local/RealPlayer/plugins/vidsite.so dev=dm-0
ino=410123 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1118685711.912:0): avc:  denied  { execmod } for  pid=2776
comm=realplay.bin path=/usr/local/RealPlayer/plugins/vidsite.so dev=dm-0
ino=410123 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1118685713.064:0): avc:  denied  { execmod } for  pid=2776
comm=realplay.bin path=/usr/local/RealPlayer/plugins/theorarend.so dev=dm-0
ino=410122 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1118685713.222:0): avc:  denied  { execmod } for  pid=2776
comm=realplay.bin path=/usr/local/RealPlayer/plugins/vorbisrend.so dev=dm-0
ino=410124 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1118685713.675:0): avc:  denied  { execmod } for  pid=2776
comm=realplay.bin path=/usr/local/RealPlayer/plugins/oggfformat.so dev=dm-0
ino=410098 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1118685713.914:0): avc:  denied  { execmod } for  pid=2776
comm=realplay.bin path=/usr/local/RealPlayer/plugins/swfrender.so dev=dm-0
ino=410121 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
audit(1118685714.110:0): avc:  denied  { execmod } for  pid=2776
comm=realplay.bin path=/usr/local/RealPlayer/plugins/vidsite.so dev=dm-0
ino=410123 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file

Comment 3 Jason Roysdon 2005-06-14 22:31:00 UTC

Breaks the Cisco VPN Client v4.6.02.0030 (latest) as well.

[jroysdon@han ~]$ vpnclient connect PROFILE
vpnclient: error while loading shared libraries:
/opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc:
Permission denied
[jroysdon@han ~]$ su -
Password:
[root@han ~]# vpnclient connect PROFILE
vpnclient: error while loading shared libraries:
/opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc:
Permission denied

/var/log/messages
Jun 14 14:10:38 han kernel: audit(1118783438.560:0): avc:  denied  { execmod }
for  pid=5379 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0
ino=3211355 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t
tclass=file
Jun 14 14:10:48 han su(pam_unix)[5380]: authentication failure; logname=jroysdon
uid=500 euid=0 tty= ruser=jroysdon rhost=  user=root
Jun 14 14:10:52 han su(pam_unix)[5381]: session opened for user root by
jroysdon(uid=500)
Jun 14 14:10:54 han kernel: audit(1118783454.168:0): avc:  denied  { execmod }
for  pid=5416 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0
ino=3211355 scontext=root:system_r:unconfined_t tcontext=root:object_r:usr_t
tclass=file
Jun 14 14:11:48 han net.agent[5471]: remove event not handled
Jun 14 14:11:49 han net.agent[5489]: remove event not handled
Jun 14 14:12:00 han ntpd[3347]: synchronized to 207.145.113.116, stratum 1
Jun 14 14:12:01 han kernel: Cisco Systems VPN Client Version 4.6.02 (0030)
kernel module loaded
Jun 14 14:12:05 han kernel: audit(1118783525.799:0): avc:  denied  { execmod }
for  pid=5627 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0
ino=3211355 scontext=root:system_r:unconfined_t tcontext=root:object_r:usr_t
tclass=file
Jun 14 14:13:23 han kernel: audit(1118783603.388:0): avc:  granted  { setenforce
} for  pid=5653 exe=/usr/sbin/setenforce scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Jun 14 14:13:25 han kernel: audit(1118783605.624:0): avc:  denied  { execmod }
for  pid=5654 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0
ino=3211355 scontext=root:system_r:unconfined_t tcontext=root:object_r:usr_t
tclass=file

Comment 4 Thaddeus Nielsen 2005-06-15 00:41:33 UTC

After installing selinux-policy-targeted-1.17.30-3.2 on my FC3 system I could
not open OpenOffice.org version 104.  Even the root user could not.  As soon as
the enforce target was deselected then OpenOffice worked.

Comment 5 James Hunt 2005-06-15 17:47:14 UTC

This is killing a lot of non-Fedora-packaged apps. Please see my duplicate
bug 16033:

  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=16033

Please revert these changes to the policy files or provide clear direction on:

a) What is actually happening to cause SELinux to fire the denial messages.
   What actually _is_ the "execmod" thing? Is there a list of these "things"
   somewhere with associated explanations? I'm still wading through piles of
   partially out-of-date docs on the NSA site and others....

b) How to add appropriate rules to the SELinux config files to stop these
   denials.

This bug needs fixing fast as I -- and presumably everyone else who has suffered
here -- have had to put my machine into permissive mode in a lame attempt to
actually get on and do some work with the box. This fix does work of course, but
I'm now not getting the full benefit of SELinux, and my machine is now less
secure. I am partly to blame since I'm trusting a part of the system that, as I
am now only too painfully aware, I don't understand. But learning SELinux has a
steep learning curve and the supporting RH doc I'd expect just doesn't seem to
be there.

In summary, help!

Comment 6 Jason Roysdon 2005-06-15 18:03:19 UTC

I believe you're siting the wrong bug id (this is an old RH7 bug).

You might roll-back to the prior SELinux policy (install the old RPM).  For now,
I'm running my server in permissive mode.  My own laptop I run enabled, except I
will switch to permissive mode just long enough to start and stop my vpn.

Stock OOo 1.1.3 (openoffice.org-1.1.3-11.5.0.fc3) works fine, btw.

Comment 7 Daniel Walsh 2005-06-15 18:32:28 UTC

Fixed in selinux-policy-targeted-1.17.30-3.9

Comment 8 Stephan Borg 2005-06-16 12:38:44 UTC

Getting:

Jun 16 22:07:26 localhost kernel: audit(1118923646.312:0): avc:  denied  { write
} for  pid=9803 exe=/usr/sbin/httpd name=temp dev=dm-0 ino=1127632
scontext=root:system_r:httpd_t tcontext=user_u:object_r:httpd_sys_content_t
tclass=dir

When trying to write to a home directory public_html directory.

Tried selinux-policy-targeted-1.17.30-3.9, but does not resolve error. Worked
flawlessly prior to selinux-policy-targeted-1.17.30-3.2

Comment 9 Jason Roysdon 2005-06-16 18:57:01 UTC

selinux-policy-targeted-1.17.30-3.9.noarch.rpm resolved my Cisco VPN client issue.

Comment 10 Daniel Walsh 2005-06-16 20:27:47 UTC

Comment #8

Is httpd_builtin_scripting turned on?

setsebool -P httpd_builtin_scripting=1

Comment 11 Thaddeus Nielsen 2005-06-17 02:21:38 UTC

selinux-policy-targeted-1.17.30-3.9.noarch.rpm also resolved my issue with
OpenOffice.  Thanks for the fast work!

Note You need to log in before you can comment on or make changes to this bug.