Bug 469257 - selinux policy and mozplugger do not get along
Summary: selinux policy and mozplugger do not get along
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mozplugger
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: NEEDSRETESTING
: 509280 (view as bug list)
Depends On:
Blocks: F11Blocker, F11FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2008-10-30 20:30 UTC by Daniel Walsh
Modified: 2018-04-11 16:06 UTC (History)
15 users (show)

Fixed In Version: 1.12.1-2.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-03 14:21:16 UTC


Attachments (Terms of Use)

Description Daniel Walsh 2008-10-30 20:30:25 UTC
Description of problem:

mozplugger is running openoffice and evince from within nspluginwrapper.  

SELinux is confining nspluginwrapper to have limited privledge so that we can prevent applications like flashplugin and other untrusted applications from having full access to the desktop.

We can not write policy to confine openoffice since it can be launched via the panel or firefox and only one app is run.

We need to investigate a way to run certain apps outside nspluginwrapper and others within.

Comment 1 James Morris 2009-02-26 10:29:52 UTC
Why is mozplugger being installed by default instead of ensuring that nsplugin confinement is being enforced?  There are vulnerabilities in several browser plugins which SELinux could be blocking now.

Comment 2 James Morris 2009-04-29 08:08:38 UTC
There's yet another acroread vulnerability affecting all platforms.

Can we please have the SELinux protections for the browser re-enabled by default?

Comment 3 Matěj Cepl 2009-04-29 09:18:16 UTC
(In reply to comment #2)
> There's yet another acroread vulnerability affecting all platforms.
> 
> Can we please have the SELinux protections for the browser re-enabled by
> default?  

+1 but you (or whoever is affected by this vulnerability) should just get rid of acroread ... evince just works better ;-) (except for Forms and some other silly stuff)
</rant>

Comment 4 Matěj Cepl 2009-04-29 09:19:09 UTC
Worse problem with this bug is that it is in wrong component. Reassigning.

Comment 5 Bill Nottingham 2009-04-29 15:49:40 UTC
Both nspluginwrapper and mozplugger own %{_libdir}/mozilla/plugins. mozplugger wins by shorter name.

Simplest fix would be for mozplugger to not own those directories.

Comment 6 Christopher Aillon 2009-04-29 18:48:26 UTC
I agree here.  The only package that should own %{_libdir}/mozilla/plugins is the mozilla-filesystem package.  Require that package if you need the directory.

Comment 7 Matěj Cepl 2009-04-30 10:04:44 UTC
Could we get rid of it NOW? It shouldn't be that difficult, resolution is available in comment 6, and we shouldn't draw this nonsense of not having nspluginwrapper for next Fedora.

Comment 8 Matěj Cepl 2009-04-30 10:05:51 UTC
(In reply to comment #6)
> I agree here.  The only package that should own %{_libdir}/mozilla/plugins is
> the mozilla-filesystem package.  Require that package if you need the
> directory.  

But then somebody in nspluginwrapper have to explicitly ask for installation of nspluginwrapper, right? Bill?

Comment 9 Bill Nottingham 2009-04-30 16:00:43 UTC
nspluginwrapper is a default package alongside FF in comps.

Comment 10 Daniel Walsh 2009-04-30 21:37:04 UTC
So we are going to turn on nspluginwrapper policy by default?

Comment 11 Than Ngo 2009-05-04 15:39:44 UTC
mozplugger-1.10.1-5.fc11 doesn't own %{_libdir}/mozilla/plugins

Comment 12 Will Woods 2009-05-06 20:04:53 UTC
That package is now in Rawhide. Is there a test case to confirm that the original problem is solved, or should we just consider it fixed and close the bug?

Comment 13 Bill Nottingham 2009-05-06 20:59:27 UTC
Do various installs, make sure mozplugger isn't installed by default.

Comment 14 Will Woods 2009-05-11 18:28:50 UTC
Confirmed: after various installs, mozplugger isn't installed by default. 

I tried a default install, a minimal install, and installing without the @graphical-internet group (which contains nspluginwrapper) and then installing firefox after the fact.

Comment 15 Matthias Clasen 2009-07-02 04:28:14 UTC
Comment #11 is wrong:

rpm -qlp mozplugger-1.12.1-1.fc11.x86_64.rpm 
/etc/mozpluggerrc
/usr/bin/mozplugger-controller
/usr/bin/mozplugger-helper
/usr/bin/mozplugger-linker
/usr/lib64/mozilla
/usr/lib64/mozilla/plugins
/usr/lib64/mozilla/plugins/mozplugger.so
/usr/share/doc/mozplugger-1.12.1
/usr/share/doc/mozplugger-1.12.1/COPYING
/usr/share/doc/mozplugger-1.12.1/README
/usr/share/man/man7/mozplugger.7.gz


It still owns /usr/bin/mozilla _and_ /usr/bin/mozilla/plugins
It must depend on mozilla-filesystem instead.

Comment 16 Matěj Cepl 2009-07-02 04:38:41 UTC
*** Bug 509280 has been marked as a duplicate of this bug. ***

Comment 17 Than Ngo 2009-07-02 14:35:28 UTC
it's fixed in F11 and sadly shows up in F11 update again. It's a regression. I fixed it now and will push mozplugger-1.12.1-2 in F11/F10 update ASAP.

Comment 18 Fedora Update System 2009-07-02 14:56:09 UTC
mozplugger-1.12.1-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc9

Comment 19 Fedora Update System 2009-07-02 14:57:03 UTC
mozplugger-1.12.1-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc10

Comment 20 Fedora Update System 2009-07-02 14:58:07 UTC
mozplugger-1.12.1-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc11

Comment 21 Matěj Cepl 2009-07-02 15:07:13 UTC
(In reply to comment #17)
> it's fixed in F11 and sadly shows up in F11 update again. It's a regression. I
> fixed it now and will push mozplugger-1.12.1-2 in F11/F10 update ASAP.  

This has been actually reopened against F12.

Comment 22 Matěj Cepl 2009-07-02 15:07:39 UTC
Could you check it has been fixed in F12? (Sorry, that's what I meant)

Comment 23 Than Ngo 2009-07-03 14:21:16 UTC
yes, it's fixed in F12

Comment 24 Fedora Update System 2009-07-03 19:48:22 UTC
mozplugger-1.12.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2009-07-03 19:49:14 UTC
mozplugger-1.12.1-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2009-07-03 19:55:07 UTC
mozplugger-1.12.1-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.