Bug 976500 - selinux-policy(-targeted) prevents kpartsplugin (okular) saving pdfs in Firefox
Summary: selinux-policy(-targeted) prevents kpartsplugin (okular) saving pdfs in Firefox
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-20 16:59 UTC by reescf
Modified: 2013-06-21 16:56 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-06-21 12:52:36 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
selinux detailed report of denial (2.60 KB, text/plain)
2013-06-20 17:07 UTC, reescf
no flags Details

Description reescf 2013-06-20 16:59:56 UTC
Description of problem:

The recent update to selinux-policy causes many more denials. In particular, using Okular with kpartsplugin in Firefox triggers a denial if one tries to save a copy of the PDF. This behaviour is new: previously, this functionality worked fine with the default settings.

The details of the denial show, I think, that it is selinux-policy-targeted which causes the denial. (But I don't know much about selinux yet, I'm afraid.)

Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-169.fc17.noarch
xulrunner-21.0-4.fc17.x86_64

How reproducible:

Happens every time since the update.

Steps to Reproduce:
1. Ensure system is updated and that Firefox, Okular and kpartsplugin are available.
2. Open Firefox.
3. Ensure that Firefox is set to open PDF files with kpartsplugin and that Okular is the default PDF viewer in system settings.
4. In Firefox, find a PDF somewhere.
5. Open the PDF.
6. Save a copy.

Actual results:

The PDF is not downloaded or saved and that an alert is triggered for selinux. (But no permissions error is generated by Okular/Firefox/kpartsplugin.)

Expected results:

Based on previous behaviour, I expected the PDF to be saved. Failing this, I would expect some kind of informative error message from Okular/Firefox/kpartsplugin.

I am not sure whether the change in behaviour is intended or not.

Additional info:

Secondary click on a link to the PDF allows the PDF to be saved in cases where this is permitted by the website concerned. So the issue is not with saving a PDF to e.g. a directory under ~ per se but only doing so via Okular/kpartsplugin.

Comment 1 reescf 2013-06-20 17:07:00 UTC
Created attachment 763532 [details]
selinux detailed report of denial

Comment 2 Daniel Walsh 2013-06-21 12:52:36 UTC
setsebool -P unconfined_mozilla_plugin_transition 0

You will need to turn off the protection if you want to allow plugin applications to write to your homedir.

Comment 3 reescf 2013-06-21 16:56:39 UTC
OK. Thanks. What I did was just follow the instructions in the denial report to adjust the policy. I don't know if that is the same as using setsebool but it seems to work.

I guess the new default policy is just stricter than the old one. Fair enough.


Note You need to log in before you can comment on or make changes to this bug.