Bug 427590 - SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from loading /usr/lib/mozilla/plugins/nppdf.so which requires text relocation.
Summary: SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from loading /usr...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-04 22:27 UTC by Chris Eilbeck
Modified: 2008-03-06 14:51 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-05 22:17:08 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Chris Eilbeck 2008-01-04 22:27:05 UTC
Detailed DescriptionThe /usr/lib/nspluginwrapper/npviewer.bin application
attempted to load /usr/lib/mozilla/plugins/nppdf.so which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests web page explains how to remove
this requirement. You can configure SELinux temporarily to allow
/usr/lib/mozilla/plugins/nppdf.so to use relocation as a workaround, until the
library is fixed. Please file a bug report against this package.Allowing
AccessIf you trust /usr/lib/mozilla/plugins/nppdf.so to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
/usr/lib/mozilla/plugins/nppdf.so" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t /usr/lib/mozilla/plugins/nppdf.so"The following
command will allow this access:chcon -t textrel_shlib_t
/usr/lib/mozilla/plugins/nppdf.soAdditional InformationSource
Context:  system_u:system_r:unconfined_t:s0Target
Context:  system_u:object_r:lib_t:s0Target
Objects:  /usr/lib/mozilla/plugins/nppdf.so [ file ]Affected RPM
Packages:  nspluginwrapper-0.9.91.5-14.fc8 [application]Policy
RPM:  selinux-policy-3.0.8-72.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.allow_execmodHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:36 EST 2007 x86_64 x86_64Alert
Count:  22First Seen:  Thu 03 Jan 2008 09:34:06 PM GMTLast Seen:  Fri 04 Jan
2008 10:21:48 PM GMTLocal ID:  df01f0d4-dfff-4efb-a999-c118d6cdd2e3Line
Numbers:  Raw Audit Messages :avc: denied { execmod } for comm=npviewer.bin
dev=dm-0 egid=500 euid=500 exe=/usr/lib/nspluginwrapper/npviewer.bin exit=-13
fsgid=500 fsuid=500 gid=500 items=0 path=/usr/lib/mozilla/plugins/nppdf.so
pid=4311 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=500

Comment 1 Daniel Walsh 2008-01-08 19:03:46 UTC
Bad file context 

restorecon -v /usr/lib/mozilla/plugins/nppdf.so


Comment 2 Daniel Walsh 2008-03-05 22:17:08 UTC
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Comment 3 Chris Eilbeck 2008-03-06 14:51:36 UTC
many thanks, the "restorecon" seems to have fixed this problem.

Chris


Note You need to log in before you can comment on or make changes to this bug.