Bug 187596 - SELinux policy targeted 2.2.25-2.fc5 break Adobe Reader
SELinux policy targeted 2.2.25-2.fc5 break Adobe Reader
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
: Desktop, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-01 10:21 EST by Heiko Adams
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version: 2.2.36-2.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-09 17:10:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Heiko Adams 2006-04-01 10:21:56 EST
Description of problem:
After updating the SELinux policy "targeted" to 2.2.25-2.fc5 the Adobe Reader
7.0.5 doesn't anymore. After using google I found bug 160106 which described the
same problem on core 3. As described there I switched SELinux to permisive mode
to make Adobe Reader running.

Additional info:
I'm using the german version distributed by adobe.com
Comment 1 Ian Pilcher 2006-04-01 16:34:22 EST
This can be fixed by running these two commands (beware of Bugzilla word-wrappage):

chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*
chcon -t textrel_shlib_t
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/*.api

This is much more secure than running the entire system in permissive mode.
Comment 2 John Griffiths 2006-04-01 17:44:24 EST
Is this the "standard" way this will/is fixed, or will a policy change be made
to take care of Acrobat?
Comment 3 Heiko Adams 2006-04-02 11:54:13 EDT
I'm sorry, but the sun jre is also affected by the policy update and wasn't also
working anymore until I was running

chcon -t textrel_shlib_t /usr/local/jre1.6.0/lib/i386/client/*
chcon -t textrel_shlib_t /usr/local/jre1.6.0/bin/*

I'm going to file a seperate bugzilla for the jre problem. This one's just for info
Comment 4 Daniel Walsh 2006-04-03 10:28:49 EDT
Ian are you sure you need all the libs and api files?  I am seeing 

libJP2K.so but acroread still ran with this denial.

Dan
Comment 5 Ian Pilcher 2006-04-03 10:39:51 EDT
I may not need *all* of them, but it definitely did not run for me until I
did libJP2K.so and libCoolType.so.  It ran with pop-up warnings until I did
the *.api files in plug_ins; since I needed to do my taxes, which use fill-
in forms, I wanted all that functionality.
Comment 6 Daniel Walsh 2006-04-03 10:53:22 EDT
Fixed in 2.2.29-2.fc5
Comment 7 Daniel Walsh 2006-04-03 11:04:22 EDT
Yes I see the same errors.

Comment 8 Heiko Adams 2006-04-05 16:06:01 EDT
I'm sorry, but the Adobe Reader Firefox plugin isn't working in 2.2.25-3.fc5
Comment 9 Daniel Walsh 2006-04-06 15:03:47 EDT
What avc's are you seeing?  

Dan
Comment 10 Heiko Adams 2006-04-08 13:18:26 EDT
Sorry, but a fresh installed Adobe Reader 7.0.5 doesn't start on SELinux policy
targeted 2.2.29-3.fc5.

Error message:
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread: error while loading
shared libraries: /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so:
cannot restore segment prot after reloc: Permission denied
Comment 11 Heiko Adams 2006-04-08 13:34:16 EDT
One more problem: After updating SELinux policy targeted to 2.2.29-3.fc5
AdobeReader exists without any message when trying to open the preferences
Comment 12 Fred New 2006-04-09 04:32:57 EDT
With selinux-policy-targeted-2.2.29-3.fc5 I see

Apr  9 11:23:54 darth kernel: audit(1144571034.819:488): avc:  denied  { execmod
} for  pid=3175 comm="acroread" name="libJP2K.so" dev=hdc6 ino=87897
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
Apr  9 11:24:54 darth kernel: audit(1144571094.906:489): avc:  denied  { execmod
} for  pid=3249 comm="acroread" name="libCoolType.so.5.01" dev=hdc6 ino=87896
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
Apr  9 11:25:19 darth kernel: audit(1144571119.772:490): avc:  denied  { execmod
} for  pid=3321 comm="acroread" name="libAXSLE.so" dev=hdc6 ino=87892
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
Apr  9 11:25:20 darth kernel: audit(1144571120.036:491): avc:  denied  { execmod
} for  pid=3321 comm="acroread" name="ADMPlugin.apl" dev=hdc6 ino=88015
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
Apr  9 11:27:48 darth kernel: audit(1144571268.073:492): avc:  denied  { execmod
} for  pid=3409 comm="acroread" name="libcrypto.so.0.9.6" dev=hdc6 ino=87917
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file

I changed the context type of these four files in
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib to textrel_shlib_t and my
acroread started working.
Comment 13 Fred New 2006-04-09 04:52:06 EDT
I said "four" files above, but there are 5 AVC messages.  It looks like I don't
need to change anything for ADMPlugin.apl.
Comment 14 John Griffiths 2006-04-10 09:09:08 EDT
Not working in selinux-policy.noarch 0:2.2.29-4
Comment 15 Heiko Adams 2006-04-14 12:12:10 EDT
Maybe this helps:
When starting AdobeReader with SELinux in enforce mode the gui is english. When
starting AdobeReader with SELinux in permissive mode the gui is german.
Comment 16 David Mohring 2006-05-04 05:19:46 EDT
selinux-policy-targeted-2.2.34-3.fc5 still breaks AdobeReader_enu-7.0.5-1 .
To get Adobe working you need to ...

chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/lib*


Comment 19 Daniel Walsh 2006-05-09 12:09:40 EDT
fixed in selinux-policy-2.2.38-1.FC5.
Comment 20 Heiko Adams 2006-05-09 12:57:33 EDT
Seems to work with selinux-policy-2.2.36-2.fc5 - I'm still unable to change the
language to german but that's not a real problem for me ;-)
Comment 21 Nicola Soranzo 2006-05-10 10:07:49 EDT
(In reply to comment #20)
> Seems to work with selinux-policy-2.2.36-2.fc5 - I'm still unable to change the
> language to german but that's not a real problem for me ;-)

Same here for Italian. Adobe Reader (after asking license acceptance in Italian)
starts automatically in English.
RPM: AdobeReader_ita-7.0.5-1.i386.rpm (latest)
/var/log/messages:

May 10 15:55:16 ozzy kernel: audit(1147269316.763:8): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="RdLang32.ITA" dev=hda6 ino=522862
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.007:9): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="Spelling.ITA" dev=hda6 ino=522914
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.135:10): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="PPKLite.ITA" dev=hda6 ino=522844
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.251:11): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="Accessibility.ITA" dev=hda6 ino=522651
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.271:12): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="AcroForm.ITA" dev=hda6 ino=522669
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.407:13): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="Annots.ITA" dev=hda6 ino=522676
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.759:14): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="DigSig.ITA" dev=hda6 ino=522681
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.827:15): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="EFS.ITA" dev=hda6 ino=522685
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.847:16): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="EScript.ITA" dev=hda6 ino=522703
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.859:17): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="ewh.ITA" dev=hda6 ino=522923
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.863:18): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="LegalPDF.ITA" dev=hda6 ino=522705
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.863:19): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="MakeAccessible.ITA" dev=hda6 ino=522712
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.867:20): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="PDDom.ITA" dev=hda6 ino=522774
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.975:21): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SaveAsRTF.ITA" dev=hda6 ino=522887
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.979:22): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SearchFind.ITA" dev=hda6 ino=522892
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.979:23): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SendMail.ITA" dev=hda6 ino=522896
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.995:24): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SOAP.ITA" dev=hda6 ino=522880
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:23 ozzy kernel: audit(1147269323.043:25): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="wwwlink.ITA" dev=hda6 ino=522997
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file

In practice all files under
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/ .
Please reopen!
Comment 22 Daniel Walsh 2006-05-10 14:28:49 EDT
If you execute 
chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/*

Does it work?

Dan
Comment 23 Nicola Soranzo 2006-05-10 15:24:38 EDT
(In reply to comment #22)
> If you execute 
> chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/*
> 
> Does it work?

Yes, it works fine.
I don't know about other languages.
Thanks a lot, I hope to see this applied to next update.

Nicola
Comment 24 Nicola Soranzo 2006-05-15 18:50:56 EDT
The fix for italian/german isn't present in the latest update
selinux-policy-2.2.38-1.fc5 .
Please... ;)

Note You need to log in before you can comment on or make changes to this bug.