Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: When you open a PDF in firefox it is show in the acrobat plugin. If you try to save a copy of the PDF using the button in the plugin you will get a permission denied error even in places like your home directory. Saving with the firefox menu works. However, this is not always possible. For example, there are sites that open the pdf in a frame or otherwise embed it within the page or turn off firefox menus. Then the only way is to use the save button of acrobat reader. Version-Release number of selected component (if applicable): How reproducible: Everytime I want to save a copy of the PDF I am viewing. Steps to Reproduce: 1. Open a PDF file in firefox. 2. Press the save button in the acroread plugin. 3. Select a location in your home directory. 4. Press save. 5. Get error message Actual results: It fails to save. Expected results: PDF file is saved Additional info: Here is a fedoraforum thread about this problem: http://forums.fedoraforum.org/showthread.php?t=282803 My selinux error is different than the above reference one. Here is the bug report from sealert: SELinux is preventing /opt/Adobe/Reader9/Reader/intellinux/bin/acroread from 'create' accesses on the file test.pdf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that acroread should be allowed create access on the test.pdf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep acroread /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects test.pdf [ file ] Source acroread Source Path /opt/Adobe/Reader9/Reader/intellinux/bin/acroread Port <Unknown> Host (removed) Source RPM Packages AdobeReader_enu-9.5.1-1.i486 Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep 17 15:03:59 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-09-27 08:37:20 PDT Last Seen 2012-09-27 08:37:20 PDT Local ID a1efa202-49b1-4e08-afe1-0167b0c28331 Raw Audit Messages type=AVC msg=audit(1348760240.244:11): avc: denied { create } for pid=1895 comm="acroread" name="test.pdf" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1348760240.244:11): arch=i386 syscall=fstat per=8 success=no exit=EACCES a0=e4755f8 a1=242 a2=180 a3=e4755f8 items=0 ppid=1875 pid=1895 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=2 comm=acroread exe=/opt/Adobe/Reader9/Reader/intellinux/bin/acroread subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: acroread,mozilla_plugin_t,user_home_dir_t,file,create audit2allow #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_dir_t:file create; audit2allow -R #============= mozilla_plugin_t ============== allow mozilla_plugin_t user_home_dir_t:file create;
Either remove the mozplluger package by executing # yum remove mozplugger or turn off enforcement of SELinux over the Firefox plugins. # setsebool -P unconfined_mozilla_plugin_transition 0
mozplugger is not installed. I am using the Adobe plugin. So, yum remove mozplugger, as far as I can tell had no effect. I'm assuming this is NOTABUG because it is intended behavior. In other words, the selinux policy intentionally disables legitimate functionality of a common plugin.
No. We add a protection for these plugins. But some plugins want to add a lot of accesses which we don't want to allow them. For example we don't want to allow plugins to manage common home files. # sesearch -A -s mozilla_plugin_t -c file -p create will tell you which files is mozilla_plugin_t able to manage. So you can turn off this plugin protection using either # setsebool -P unconfined_mozilla_plugin_transition 0 or allow mozilla plugins to create random content in the users home directory # setsebool -P mozilla_plugin_enable_homedirs 1 Also you can read more info using # man mozilla_selinux
Phil which plugin did you run other then mozplugger that got acroread to run as a plugin within mozilla? Is acroread itself doing this now?
Ok a little googleing shows that acroread ships with a 32 bit plugin requiring running with nsplugin, which is probably causing this problem. Phil I would say that setting one of the booleans is the way to go. Either turn off the protection or allow plugins to write any file in your homedir.
about:plugins shows File: nswrapper_32_64.nppdf.so So, you are correct. It is the acroread plugin with nswrapper. Changing bools does not work for me. I get: sudo setsebool -P mozilla_plugin_enable_homedirs 1 libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). Could not change policy booleans I get the same error no matter which boolean I try to change.
semodule -r audio_entropy audioentropy Looks like you have old cruft on your system.
The system was upgraded from Fedora 13. I don't seem to have audio_entropy loaded. And I still get the same error. libsemanage.semanage_direct_remove: Module audio_entropy was not found. libsepol.scope_copy_callback: execmem: Duplicate declaration in module: type/attribute unconfined_execmem_exec_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! I get the same message without audio_entropy not found, if I just do "sudo semodule -r audioentropy"
Phil do this # setenforce 0 # rm -rf /etc/selinux/targeted # yum reinstall selinux-policy-targeted # restorecon -R -v /etc/selinux/targeted # setenforce 1
Thanks. After following the instructions in post #9, I can do setsebool now. A note for anyone else who has a similar problem and comes across this... setsebool takes a pretty long time to run. On my core 2 duo e7400, it was at 100% cpu for about 1 minute.