Bug 976500 - selinux-policy(-targeted) prevents kpartsplugin (okular) saving pdfs in Firefox
selinux-policy(-targeted) prevents kpartsplugin (okular) saving pdfs in Firefox
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-20 12:59 EDT by reescf
Modified: 2013-06-21 12:56 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-21 08:52:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux detailed report of denial (2.60 KB, text/plain)
2013-06-20 13:07 EDT, reescf
no flags Details

  None (edit)
Description reescf 2013-06-20 12:59:56 EDT
Description of problem:

The recent update to selinux-policy causes many more denials. In particular, using Okular with kpartsplugin in Firefox triggers a denial if one tries to save a copy of the PDF. This behaviour is new: previously, this functionality worked fine with the default settings.

The details of the denial show, I think, that it is selinux-policy-targeted which causes the denial. (But I don't know much about selinux yet, I'm afraid.)

Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-169.fc17.noarch
xulrunner-21.0-4.fc17.x86_64

How reproducible:

Happens every time since the update.

Steps to Reproduce:
1. Ensure system is updated and that Firefox, Okular and kpartsplugin are available.
2. Open Firefox.
3. Ensure that Firefox is set to open PDF files with kpartsplugin and that Okular is the default PDF viewer in system settings.
4. In Firefox, find a PDF somewhere.
5. Open the PDF.
6. Save a copy.

Actual results:

The PDF is not downloaded or saved and that an alert is triggered for selinux. (But no permissions error is generated by Okular/Firefox/kpartsplugin.)

Expected results:

Based on previous behaviour, I expected the PDF to be saved. Failing this, I would expect some kind of informative error message from Okular/Firefox/kpartsplugin.

I am not sure whether the change in behaviour is intended or not.

Additional info:

Secondary click on a link to the PDF allows the PDF to be saved in cases where this is permitted by the website concerned. So the issue is not with saving a PDF to e.g. a directory under ~ per se but only doing so via Okular/kpartsplugin.
Comment 1 reescf 2013-06-20 13:07:00 EDT
Created attachment 763532 [details]
selinux detailed report of denial
Comment 2 Daniel Walsh 2013-06-21 08:52:36 EDT
setsebool -P unconfined_mozilla_plugin_transition 0

You will need to turn off the protection if you want to allow plugin applications to write to your homedir.
Comment 3 reescf 2013-06-21 12:56:39 EDT
OK. Thanks. What I did was just follow the instructions in the denial report to adjust the policy. I don't know if that is the same as using setsebool but it seems to work.

I guess the new default policy is just stricter than the old one. Fair enough.

Note You need to log in before you can comment on or make changes to this bug.