Description of problem: Installation of flash plugin via firefox browser fails with SELINUX denials. Version-Release number of selected component (if applicable): How reproducible: Always. Steps to Reproduce: 1. Visit a web site with flash 2. click on the provided button in firefox to automatically search for and install the Macromedia flash plugin. 3. Restart the browser and try to revisit the site using flash audit(1158875743.418:164): avc: denied { execmod } for pid=2295 comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=13272948 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file Actual results: AVC denial, as per the following kernel log message... audit(1158875743.418:164): avc: denied { execmod } for pid=2295 comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=13272948 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file Expected results: Flash loads and works properly. Additional info:
What directory did it install it into? Did you have restorecond running?
It installed by default into ~/.mozilla/plugins. I tried also to copy the plugin files, as root, into /usr/lib/mozilla/plugins/ and also /usr/lib/firefox-1.5.0.7/plugins/, but the same failure occurs. restorecond is running
restorecon libflashplayer.so Should set its context to textrel_shlib_t Which will allow it to work.
I'll try that out, thanks. What should firefox be doing internall when it installs plugins in order to avoid this problem? Should it run restorecon after a plugin install? If it knows what files get put into the plugin/ directory I suppose it could do that.
Yes or use the install command which has a built in restorecon.
Firefox hasn't had the necessary changes made which will make the restorecon invocation occur, so why close the bug? It's still there. Please provide a reasoning when you close a bug. It is very much still a bug in that if someone tries to install flash right now as I did, the same thing is likely to happen unless specific changes were made to Firefox to deal with this issue. I'm reopening this and I'd like to ask that it stay's open until the Firefox issue is truly resolved. Thanks a lot!
Fine that change the bug to firefox.
It would be improper for firefox to change the selinux context of the downloaded file itself. This is due to Bug #189622 where Flash Player 7 using text relocations, which is disallowed by selinux policy. Flash Player 9 due out soon fixes this problem. Meanwhile, you can either: 1) http://macromedia.mplug.org/ Use the Flash Player 7 RPM from here which avoids this problem. 2) http://labs.adobe.com/downloads/flashplayer9.html Use Flash Player 9 Beta2 3) Wait until Flash Player 9 is released soon. *** This bug has been marked as a duplicate of 189622 ***