Bug 815697 - Adobe Reader not working
Summary: Adobe Reader not working
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 815787 815852
TreeView+ depends on / blocked
 
Reported: 2012-04-24 09:52 UTC by Susi Lehtola
Modified: 2012-04-24 19:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 815787 815852 (view as bug list)
Environment:
Last Closed: 2012-04-24 14:06:41 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Susi Lehtola 2012-04-24 09:52:31 UTC 
Adobe Reader is not working in Fedora 17.

$ acroread
/opt/Adobe/Reader9/Reader/intellinux/bin/acroread: error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied

$ ls -lhZ /opt/Adobe/Reader9/Reader/intellinux/bin/
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       acroread
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       SynchronizerApp
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       SynchronizerApp-binary
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-desktop-icon
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-desktop-menu
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-email
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-icon-resource
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-mime
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-open
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-user-dir
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-user-dirs-update

Strangely, chcon does not seem to have any effect:

$ sudo chcon -t execmem_exec_t /opt/Adobe/Reader9/Reader/intellinux/bin/acroread
$ ls -lhZ /opt/Adobe/Reader9/Reader/intellinux/bin/
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       acroread
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       SynchronizerApp
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       SynchronizerApp-binary
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-desktop-icon
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-desktop-menu
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-email
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-icon-resource
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-mime
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-open
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-user-dir
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xdg-user-dirs-update
Comment 1 Miroslav Grepl 2012-04-24 14:06:41 UTC 
Did you see sealert to this issue? If not, try to check it. It will tell you what to do.

basically you can try to clear execstack flag or change a label.
Comment 2 Susi Lehtola 2012-04-24 16:18:20 UTC 
sealert advises to use execstack, to set allow_execstack, or to report a bug.

Acroread works after installing the generated SELinux module file.
Comment 3 Daniel Walsh 2012-04-24 18:18:50 UTC 
Did you try to see if Adobe has shipped an executable that is marked as needing execstack even though it does not?
Comment 4 Daniel Walsh 2012-04-24 18:19:49 UTC 
You would be more secure without turning on the allow_execstack boolean, but sadly there are lots of apps that mistakenly think they need it or some that actually do.
Comment 5 Susi Lehtola 2012-04-24 19:07:01 UTC 
(In reply to comment #4)
> You would be more secure without turning on the allow_execstack boolean, but
> sadly there are lots of apps that mistakenly think they need it or some that
> actually do.

I installed the module file generated with sealert's help (in the bug report section), so I didn't turn the boolean on.
Note You need to log in before you can comment on or make changes to this bug.