Bug 187596 - SELinux policy targeted 2.2.25-2.fc5 break Adobe Reader
Summary: SELinux policy targeted 2.2.25-2.fc5 break Adobe Reader
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords: Desktop, SELinux
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-01 15:21 UTC by Heiko Adams
Modified: 2007-11-30 22:11 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-05-09 21:10:30 UTC


Attachments (Terms of Use)

Description Heiko Adams 2006-04-01 15:21:56 UTC
Description of problem:
After updating the SELinux policy "targeted" to 2.2.25-2.fc5 the Adobe Reader
7.0.5 doesn't anymore. After using google I found bug 160106 which described the
same problem on core 3. As described there I switched SELinux to permisive mode
to make Adobe Reader running.

Additional info:
I'm using the german version distributed by adobe.com

Comment 1 Ian Pilcher 2006-04-01 21:34:22 UTC
This can be fixed by running these two commands (beware of Bugzilla word-wrappage):

chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*
chcon -t textrel_shlib_t
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/*.api

This is much more secure than running the entire system in permissive mode.

Comment 2 John Griffiths 2006-04-01 22:44:24 UTC
Is this the "standard" way this will/is fixed, or will a policy change be made
to take care of Acrobat?

Comment 3 Heiko Adams 2006-04-02 15:54:13 UTC
I'm sorry, but the sun jre is also affected by the policy update and wasn't also
working anymore until I was running

chcon -t textrel_shlib_t /usr/local/jre1.6.0/lib/i386/client/*
chcon -t textrel_shlib_t /usr/local/jre1.6.0/bin/*

I'm going to file a seperate bugzilla for the jre problem. This one's just for info

Comment 4 Daniel Walsh 2006-04-03 14:28:49 UTC
Ian are you sure you need all the libs and api files?  I am seeing 

libJP2K.so but acroread still ran with this denial.

Dan

Comment 5 Ian Pilcher 2006-04-03 14:39:51 UTC
I may not need *all* of them, but it definitely did not run for me until I
did libJP2K.so and libCoolType.so.  It ran with pop-up warnings until I did
the *.api files in plug_ins; since I needed to do my taxes, which use fill-
in forms, I wanted all that functionality.

Comment 6 Daniel Walsh 2006-04-03 14:53:22 UTC
Fixed in 2.2.29-2.fc5

Comment 7 Daniel Walsh 2006-04-03 15:04:22 UTC
Yes I see the same errors.



Comment 8 Heiko Adams 2006-04-05 20:06:01 UTC
I'm sorry, but the Adobe Reader Firefox plugin isn't working in 2.2.25-3.fc5

Comment 9 Daniel Walsh 2006-04-06 19:03:47 UTC
What avc's are you seeing?  

Dan

Comment 10 Heiko Adams 2006-04-08 17:18:26 UTC
Sorry, but a fresh installed Adobe Reader 7.0.5 doesn't start on SELinux policy
targeted 2.2.29-3.fc5.

Error message:
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread: error while loading
shared libraries: /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so:
cannot restore segment prot after reloc: Permission denied

Comment 11 Heiko Adams 2006-04-08 17:34:16 UTC
One more problem: After updating SELinux policy targeted to 2.2.29-3.fc5
AdobeReader exists without any message when trying to open the preferences

Comment 12 Fred New 2006-04-09 08:32:57 UTC
With selinux-policy-targeted-2.2.29-3.fc5 I see

Apr  9 11:23:54 darth kernel: audit(1144571034.819:488): avc:  denied  { execmod
} for  pid=3175 comm="acroread" name="libJP2K.so" dev=hdc6 ino=87897
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
Apr  9 11:24:54 darth kernel: audit(1144571094.906:489): avc:  denied  { execmod
} for  pid=3249 comm="acroread" name="libCoolType.so.5.01" dev=hdc6 ino=87896
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
Apr  9 11:25:19 darth kernel: audit(1144571119.772:490): avc:  denied  { execmod
} for  pid=3321 comm="acroread" name="libAXSLE.so" dev=hdc6 ino=87892
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
Apr  9 11:25:20 darth kernel: audit(1144571120.036:491): avc:  denied  { execmod
} for  pid=3321 comm="acroread" name="ADMPlugin.apl" dev=hdc6 ino=88015
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
Apr  9 11:27:48 darth kernel: audit(1144571268.073:492): avc:  denied  { execmod
} for  pid=3409 comm="acroread" name="libcrypto.so.0.9.6" dev=hdc6 ino=87917
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file

I changed the context type of these four files in
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib to textrel_shlib_t and my
acroread started working.

Comment 13 Fred New 2006-04-09 08:52:06 UTC
I said "four" files above, but there are 5 AVC messages.  It looks like I don't
need to change anything for ADMPlugin.apl.

Comment 14 John Griffiths 2006-04-10 13:09:08 UTC
Not working in selinux-policy.noarch 0:2.2.29-4

Comment 15 Heiko Adams 2006-04-14 16:12:10 UTC
Maybe this helps:
When starting AdobeReader with SELinux in enforce mode the gui is english. When
starting AdobeReader with SELinux in permissive mode the gui is german.

Comment 16 David Mohring 2006-05-04 09:19:46 UTC
selinux-policy-targeted-2.2.34-3.fc5 still breaks AdobeReader_enu-7.0.5-1 .
To get Adobe working you need to ...

chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/lib*




Comment 19 Daniel Walsh 2006-05-09 16:09:40 UTC
fixed in selinux-policy-2.2.38-1.FC5.

Comment 20 Heiko Adams 2006-05-09 16:57:33 UTC
Seems to work with selinux-policy-2.2.36-2.fc5 - I'm still unable to change the
language to german but that's not a real problem for me ;-)

Comment 21 Nicola Soranzo 2006-05-10 14:07:49 UTC
(In reply to comment #20)
> Seems to work with selinux-policy-2.2.36-2.fc5 - I'm still unable to change the
> language to german but that's not a real problem for me ;-)

Same here for Italian. Adobe Reader (after asking license acceptance in Italian)
starts automatically in English.
RPM: AdobeReader_ita-7.0.5-1.i386.rpm (latest)
/var/log/messages:

May 10 15:55:16 ozzy kernel: audit(1147269316.763:8): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="RdLang32.ITA" dev=hda6 ino=522862
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.007:9): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="Spelling.ITA" dev=hda6 ino=522914
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.135:10): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="PPKLite.ITA" dev=hda6 ino=522844
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.251:11): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="Accessibility.ITA" dev=hda6 ino=522651
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.271:12): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="AcroForm.ITA" dev=hda6 ino=522669
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.407:13): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="Annots.ITA" dev=hda6 ino=522676
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.759:14): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="DigSig.ITA" dev=hda6 ino=522681
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.827:15): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="EFS.ITA" dev=hda6 ino=522685
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.847:16): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="EScript.ITA" dev=hda6 ino=522703
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.859:17): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="ewh.ITA" dev=hda6 ino=522923
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.863:18): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="LegalPDF.ITA" dev=hda6 ino=522705
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.863:19): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="MakeAccessible.ITA" dev=hda6 ino=522712
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.867:20): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="PDDom.ITA" dev=hda6 ino=522774
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.975:21): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SaveAsRTF.ITA" dev=hda6 ino=522887
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.979:22): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SearchFind.ITA" dev=hda6 ino=522892
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.979:23): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SendMail.ITA" dev=hda6 ino=522896
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:22 ozzy kernel: audit(1147269322.995:24): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="SOAP.ITA" dev=hda6 ino=522880
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
May 10 15:55:23 ozzy kernel: audit(1147269323.043:25): avc:  denied  { execmod }
for  pid=3762 comm="acroread" name="wwwlink.ITA" dev=hda6 ino=522997
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file

In practice all files under
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/ .
Please reopen!

Comment 22 Daniel Walsh 2006-05-10 18:28:49 UTC
If you execute 
chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/*

Does it work?

Dan

Comment 23 Nicola Soranzo 2006-05-10 19:24:38 UTC
(In reply to comment #22)
> If you execute 
> chcon -t textrel_shlib_t /usr/local/Adobe/Acrobat7.0/Reader/intellinux/sidecars/*
> 
> Does it work?

Yes, it works fine.
I don't know about other languages.
Thanks a lot, I hope to see this applied to next update.

Nicola


Comment 24 Nicola Soranzo 2006-05-15 22:50:56 UTC
The fix for italian/german isn't present in the latest update
selinux-policy-2.2.38-1.fc5 .
Please... ;)



Note You need to log in before you can comment on or make changes to this bug.