Bug 177269 - SELinux prevents browser plugins from being executed
SELinux prevents browser plugins from being executed
Product: Fedora
Classification: Fedora
Component: epiphany (Show other bugs)
noarch Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
: 178617 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2006-01-08 11:46 EST by Joachim Frieben
Modified: 2018-04-11 13:00 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-08 11:17:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Audit subsystem log file (37.77 KB, application/x-bzip)
2006-01-26 12:44 EST, Joachim Frieben
no flags Details

  None (edit)
Description Joachim Frieben 2006-01-08 11:46:01 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051215 Epiphany/1.9.4

Description of problem:
Upon installation of "flash-plugin-7.0.61-1", associated
media cannot be displayed. Web browsers behave as if the
plugin had not been installed.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install "flash-plugin".
2. Launch "epiphany" etc.
3. Go to a web page with embedded "flash" elements. 

Actual Results:  The "flash" elements are not rendered as expected. The
corresponding part of the window remains empty. Upon
clicking inside it, one is invited to install the
corresponding missing plugin.

Expected Results:  "flash" elements should get rendered correctly.

Additional info:

Execution of "chcon system_u:object_r:texrel_shlib_t
/usr/lib/flash-plugin/libflashplayer.so" allows to
recover "flash" functionality. Other plugins are also
affected, e.g. "java" and "realplayer" plugins.
Comment 1 Joachim Frieben 2006-01-13 04:30:46 EST
Still not fixed in "selinux-policy-targeted-2.1.9-2".
Comment 2 Daniel Walsh 2006-01-14 00:47:41 EST
Fixed in 2.1.10-2
Comment 3 Joachim Frieben 2006-01-22 07:53:11 EST
After a fresh install from the development tree issue found to be not
fixed in "selinux-policy-targeted-2.2.2-1".
Comment 4 Joachim Frieben 2006-01-22 07:57:05 EST
Something has changed however in the sense that now the "chcon
system_u:object_r:texrel_shlib_t SH_LIB" trick does not
work anymore.
Comment 5 Daniel Walsh 2006-01-23 09:10:29 EST
Are you seeing new avc messages?

If you do the following, what do you see?
restorecon /usr/lib/flash-plugin/libflashplayer.so
ls -lZ /usr/lib/flash-plugin/libflashplayer.so
Comment 6 Daniel Walsh 2006-01-23 09:13:21 EST
*** Bug 178617 has been marked as a duplicate of this bug. ***
Comment 7 Joachim Frieben 2006-01-23 11:18:17 EST
ls -lZ /usr/lib/flash-plugin/libflashplayer.so
-rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t

restorecon /usr/lib/flash-plugin/libflashplayer.so

ls -lZ /usr/lib/flash-plugin/libflashplayer.so
-rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
Comment 8 Daniel Walsh 2006-01-23 14:07:08 EST
Ok so that is correct.  Are you seeing avc messages in 

/var/log/audit/audit.log pr /var/log/messages?

Comment 9 Joachim Frieben 2006-01-25 12:49:19 EST
Sure there are but nothing relevant. Only "denied" entries related to
"readahead", "mount" and similar. On the contrary to FC5 test1, I have
problems with other 3rd party shared libraries again, and the "chcon"
trick does not help anymore:

"xpdf: error while loading shared libraries: libXm.so.2: cannot enable
 executable stack as shared object requires: Permission denied"

Here, "libXm.so.2" is an older version of the "Motif" runtime library.
Current "SELinux" rules version is "selinux-policy-targeted-2.2.4-1".
No "Flash", no "Java", etc. Frustrating.
Comment 10 Daniel Walsh 2006-01-26 10:01:54 EST
You can turn on the booleans 


Which should allow them to run.  But you should be seeing avc messages on 
libXm.so and others.

How is this file labeled?

Could you attach your audit.log ?
Comment 11 Joachim Frieben 2006-01-26 12:25:46 EST
None of both mentioned variables allowed to run "xpdf". However, while I
was browsing through "/selinux/booleans", I discovered "allow_execstack"
which looked more promising having in mind the complaint ".. cannot
enable executable stack ..".
Bingo! After executing "setsebool -P allow_execstack=1", "xpdf" starts up
as expected, and even the browser plugins work! The problem apparently
did not stem from the file context, but from the fact, that those guys
require an executable stack.
Comment 12 Joachim Frieben 2006-01-26 12:40:29 EST
To be more precise, "allow_execmem=1" is also required, "allow_execmod=1"
is additionally needed for the "java" plugin. The "audit.log" does not
reveal anything relevant to my eyes but I attach it anyway.
Comment 13 Joachim Frieben 2006-01-26 12:44:11 EST
Created attachment 123725 [details]
Audit subsystem log file
Comment 14 Daniel Walsh 2006-01-26 23:59:04 EST
Epiphany requires execstack.

This is a bad thing.

Comment 15 Christopher Aillon 2006-03-06 18:28:45 EST
Was this fixed by the nss update? 
Comment 16 Joachim Frieben 2006-03-07 07:51:19 EST
Plugins do work again because "allow_execstack" has been reenabled by
default in "SELinux".

After executing "setsebool -P allow_execstack 0", however, plugins
fail as at the time when I opened this bug report. Consequently, the
answer is no.
Comment 17 Ulrich Drepper 2006-03-07 10:19:25 EST
Did anybody use the execstack tool to simply reset the flag in the plugins? 
I.e., use

  exestack -c /path/to/plugin

Then try again.  My guess is that it's simply the build process which is broken.
 They either use old object files or asm files without the necessary magic.
Comment 18 Matěj Cepl 2008-02-08 11:17:23 EST
Since this bugzilla report was filed, we have seriously upgraded Gecko-related
packages in Rawhide, which may have resolved this issue. Users who have
experienced this problem are encouraged to upgrade their system to the latest
version of their distribution available.

Closing this bug as CANTFIX. Please, reopen, if this bug is still reproducable
on the latest update of your distribution.

[This is mass-closing of bugs which seem to be too old and irrelevant anymore;
we are sorry, if we are closing your bug in mistake; please, don't hesitate to
reopen, if it is still alive issue.]

Note You need to log in before you can comment on or make changes to this bug.