Red Hat Bugzilla – Bug 976500
selinux-policy(-targeted) prevents kpartsplugin (okular) saving pdfs in Firefox
Last modified: 2013-06-21 12:56:39 EDT
Description of problem:
The recent update to selinux-policy causes many more denials. In particular, using Okular with kpartsplugin in Firefox triggers a denial if one tries to save a copy of the PDF. This behaviour is new: previously, this functionality worked fine with the default settings.
The details of the denial show, I think, that it is selinux-policy-targeted which causes the denial. (But I don't know much about selinux yet, I'm afraid.)
Version-Release number of selected component (if applicable):
Happens every time since the update.
Steps to Reproduce:
1. Ensure system is updated and that Firefox, Okular and kpartsplugin are available.
2. Open Firefox.
3. Ensure that Firefox is set to open PDF files with kpartsplugin and that Okular is the default PDF viewer in system settings.
4. In Firefox, find a PDF somewhere.
5. Open the PDF.
6. Save a copy.
The PDF is not downloaded or saved and that an alert is triggered for selinux. (But no permissions error is generated by Okular/Firefox/kpartsplugin.)
Based on previous behaviour, I expected the PDF to be saved. Failing this, I would expect some kind of informative error message from Okular/Firefox/kpartsplugin.
I am not sure whether the change in behaviour is intended or not.
Secondary click on a link to the PDF allows the PDF to be saved in cases where this is permitted by the website concerned. So the issue is not with saving a PDF to e.g. a directory under ~ per se but only doing so via Okular/kpartsplugin.
Created attachment 763532 [details]
selinux detailed report of denial
setsebool -P unconfined_mozilla_plugin_transition 0
You will need to turn off the protection if you want to allow plugin applications to write to your homedir.
OK. Thanks. What I did was just follow the instructions in the denial report to adjust the policy. I don't know if that is the same as using setsebool but it seems to work.
I guess the new default policy is just stricter than the old one. Fair enough.