This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 469257 - selinux policy and mozplugger do not get along
selinux policy and mozplugger do not get along
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mozplugger (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
NEEDSRETESTING
: EasyFix, Reopened
: 509280 (view as bug list)
Depends On:
Blocks: F11Blocker/F11FinalBlocker
  Show dependency treegraph
 
Reported: 2008-10-30 16:30 EDT by Daniel Walsh
Modified: 2013-01-09 23:53 EST (History)
14 users (show)

See Also:
Fixed In Version: 1.12.1-2.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-03 10:21:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2008-10-30 16:30:25 EDT
Description of problem:

mozplugger is running openoffice and evince from within nspluginwrapper.  

SELinux is confining nspluginwrapper to have limited privledge so that we can prevent applications like flashplugin and other untrusted applications from having full access to the desktop.

We can not write policy to confine openoffice since it can be launched via the panel or firefox and only one app is run.

We need to investigate a way to run certain apps outside nspluginwrapper and others within.
Comment 1 James Morris 2009-02-26 05:29:52 EST
Why is mozplugger being installed by default instead of ensuring that nsplugin confinement is being enforced?  There are vulnerabilities in several browser plugins which SELinux could be blocking now.
Comment 2 James Morris 2009-04-29 04:08:38 EDT
There's yet another acroread vulnerability affecting all platforms.

Can we please have the SELinux protections for the browser re-enabled by default?
Comment 3 Matěj Cepl 2009-04-29 05:18:16 EDT
(In reply to comment #2)
> There's yet another acroread vulnerability affecting all platforms.
> 
> Can we please have the SELinux protections for the browser re-enabled by
> default?  

+1 but you (or whoever is affected by this vulnerability) should just get rid of acroread ... evince just works better ;-) (except for Forms and some other silly stuff)
</rant>
Comment 4 Matěj Cepl 2009-04-29 05:19:09 EDT
Worse problem with this bug is that it is in wrong component. Reassigning.
Comment 5 Bill Nottingham 2009-04-29 11:49:40 EDT
Both nspluginwrapper and mozplugger own %{_libdir}/mozilla/plugins. mozplugger wins by shorter name.

Simplest fix would be for mozplugger to not own those directories.
Comment 6 Christopher Aillon 2009-04-29 14:48:26 EDT
I agree here.  The only package that should own %{_libdir}/mozilla/plugins is the mozilla-filesystem package.  Require that package if you need the directory.
Comment 7 Matěj Cepl 2009-04-30 06:04:44 EDT
Could we get rid of it NOW? It shouldn't be that difficult, resolution is available in comment 6, and we shouldn't draw this nonsense of not having nspluginwrapper for next Fedora.
Comment 8 Matěj Cepl 2009-04-30 06:05:51 EDT
(In reply to comment #6)
> I agree here.  The only package that should own %{_libdir}/mozilla/plugins is
> the mozilla-filesystem package.  Require that package if you need the
> directory.  

But then somebody in nspluginwrapper have to explicitly ask for installation of nspluginwrapper, right? Bill?
Comment 9 Bill Nottingham 2009-04-30 12:00:43 EDT
nspluginwrapper is a default package alongside FF in comps.
Comment 10 Daniel Walsh 2009-04-30 17:37:04 EDT
So we are going to turn on nspluginwrapper policy by default?
Comment 11 Ngo Than 2009-05-04 11:39:44 EDT
mozplugger-1.10.1-5.fc11 doesn't own %{_libdir}/mozilla/plugins
Comment 12 Will Woods 2009-05-06 16:04:53 EDT
That package is now in Rawhide. Is there a test case to confirm that the original problem is solved, or should we just consider it fixed and close the bug?
Comment 13 Bill Nottingham 2009-05-06 16:59:27 EDT
Do various installs, make sure mozplugger isn't installed by default.
Comment 14 Will Woods 2009-05-11 14:28:50 EDT
Confirmed: after various installs, mozplugger isn't installed by default. 

I tried a default install, a minimal install, and installing without the @graphical-internet group (which contains nspluginwrapper) and then installing firefox after the fact.
Comment 15 Matthias Clasen 2009-07-02 00:28:14 EDT
Comment #11 is wrong:

rpm -qlp mozplugger-1.12.1-1.fc11.x86_64.rpm 
/etc/mozpluggerrc
/usr/bin/mozplugger-controller
/usr/bin/mozplugger-helper
/usr/bin/mozplugger-linker
/usr/lib64/mozilla
/usr/lib64/mozilla/plugins
/usr/lib64/mozilla/plugins/mozplugger.so
/usr/share/doc/mozplugger-1.12.1
/usr/share/doc/mozplugger-1.12.1/COPYING
/usr/share/doc/mozplugger-1.12.1/README
/usr/share/man/man7/mozplugger.7.gz


It still owns /usr/bin/mozilla _and_ /usr/bin/mozilla/plugins
It must depend on mozilla-filesystem instead.
Comment 16 Matěj Cepl 2009-07-02 00:38:41 EDT
*** Bug 509280 has been marked as a duplicate of this bug. ***
Comment 17 Ngo Than 2009-07-02 10:35:28 EDT
it's fixed in F11 and sadly shows up in F11 update again. It's a regression. I fixed it now and will push mozplugger-1.12.1-2 in F11/F10 update ASAP.
Comment 18 Fedora Update System 2009-07-02 10:56:09 EDT
mozplugger-1.12.1-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc9
Comment 19 Fedora Update System 2009-07-02 10:57:03 EDT
mozplugger-1.12.1-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc10
Comment 20 Fedora Update System 2009-07-02 10:58:07 EDT
mozplugger-1.12.1-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mozplugger-1.12.1-2.fc11
Comment 21 Matěj Cepl 2009-07-02 11:07:13 EDT
(In reply to comment #17)
> it's fixed in F11 and sadly shows up in F11 update again. It's a regression. I
> fixed it now and will push mozplugger-1.12.1-2 in F11/F10 update ASAP.  

This has been actually reopened against F12.
Comment 22 Matěj Cepl 2009-07-02 11:07:39 EDT
Could you check it has been fixed in F12? (Sorry, that's what I meant)
Comment 23 Ngo Than 2009-07-03 10:21:16 EDT
yes, it's fixed in F12
Comment 24 Fedora Update System 2009-07-03 15:48:22 EDT
mozplugger-1.12.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2009-07-03 15:49:14 EDT
mozplugger-1.12.1-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2009-07-03 15:55:07 EDT
mozplugger-1.12.1-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.