Bug 207621 - Installation of flash plugin fails.
Installation of flash plugin fails.
Status: CLOSED DUPLICATE of bug 189622
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-21 18:13 EDT by David Miller
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-10 15:26:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Miller 2006-09-21 18:13:03 EDT
Description of problem:

Installation of flash plugin via firefox browser fails with
SELINUX denials.

Version-Release number of selected component (if applicable):


How reproducible:

Always.

Steps to Reproduce:

1. Visit a web site with flash
2. click on the provided button in firefox to automatically search for and
install the Macromedia flash plugin.
3. Restart the browser and try to revisit the site using flash

audit(1158875743.418:164): avc:  denied  { execmod } for  pid=2295
comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=13272948
scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0
tclass=file

Actual results:

AVC denial, as per the following kernel log message...

audit(1158875743.418:164): avc:  denied  { execmod } for  pid=2295
comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=13272948
scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0
tclass=file

Expected results:

Flash loads and works properly.

Additional info:
Comment 1 Daniel Walsh 2006-09-21 18:47:18 EDT
What directory did it install it into?  Did you have restorecond running?
Comment 2 David Miller 2006-09-21 19:00:19 EDT
It installed by default into ~/.mozilla/plugins.  I tried also to copy
the plugin files, as root, into /usr/lib/mozilla/plugins/ and also
/usr/lib/firefox-1.5.0.7/plugins/, but the same failure occurs.

restorecond is running
Comment 3 Daniel Walsh 2006-09-21 19:09:35 EDT
restorecon libflashplayer.so

Should set its context to textrel_shlib_t

Which will allow it to work.

Comment 4 David Miller 2006-09-21 19:13:23 EDT
I'll try that out, thanks.

What should firefox be doing internall when it installs plugins in
order to avoid this problem?  Should it run restorecon after a plugin
install?  If it knows what files get put into the plugin/ directory
I suppose it could do that.
Comment 5 Daniel Walsh 2006-09-29 13:42:54 EDT
Yes or use the install command which has a built in restorecon.
Comment 6 David Miller 2006-09-29 19:01:18 EDT
Firefox hasn't had the necessary changes made which will make the
restorecon invocation occur, so why close the bug?  It's still there.

Please provide a reasoning when you close a bug.  It is very much still
a bug in that if someone tries to install flash right now as I did, the same
thing is likely to happen unless specific changes were made to Firefox
to deal with this issue.

I'm reopening this and I'd like to ask that it stay's open until the Firefox
issue is truly resolved.

Thanks a lot!
Comment 7 Daniel Walsh 2006-10-02 14:24:15 EDT
Fine that change the bug to firefox.  
Comment 8 Warren Togami 2007-01-10 15:26:09 EST
It would be improper for firefox to change the selinux context of the downloaded
file itself.  This is due to Bug #189622 where Flash Player 7 using text
relocations, which is disallowed by selinux policy.  

Flash Player 9 due out soon fixes this problem.

Meanwhile, you can either:
1) http://macromedia.mplug.org/ Use the Flash Player 7 RPM from here which
avoids this problem.
2) http://labs.adobe.com/downloads/flashplayer9.html Use Flash Player 9 Beta2
3) Wait until Flash Player 9 is released soon.


*** This bug has been marked as a duplicate of 189622 ***

Note You need to log in before you can comment on or make changes to this bug.