Re: Firefox Acroread plugin not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 24 April 2006 16:27, Paul Howarth wrote:
[...]
>> >
>> >while app-fails-to-run
>> >do
>> > note failing library filename
>> > chcon -t textrel_shlib_t /path/to/libXYZ.so.number
>> >done
>>
>> Where does one find this info since java normally runs silently?  I
>> have copied the java ns7 plugin to the firefox plugins dir, but its
>> still not found, and running firefox from the shell and doing an
>> about:plugins leaves a blank shell when firefox is then quit.
>
>You might find selinux denial messages in /var/log/messages - search
> for the string "avc:  denied" (note the two spaces after the colon).
> You can also check to make sure it's an SELinux problem by doing
> "setenforce 0" and see if there's still a problem.

Yeee Gods, the log is drowning in them, and whats more, logrotate isn't 
rotating the logs.  I thought anacron was supposed to take care of 
that?
Anyway, heres the last few minutes of the log:

Apr 24 18:06:00 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:11:30 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:24:12 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:30:27 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:34:06 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:34:43 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:41:45 diablo kernel: audit(1145918505.112:334): avc:  denied  
{ execmod } for  pid=4250 comm="java" name="libawt.so"
dev=hda5 ino=9561458 scontext=root:system_r:unconfined_t:s0-s0:c0.c255 
tcontext=root:object_r:tmp_t:s0 tclass=file
Apr 24 18:44:24 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:50:45 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 18:57:43 diablo kernel: hdc: cdrom_pc_intr: The drive appears 
confused (ireason = 0x01)
Apr 24 19:01:01 diablo kernel: audit(1145919661.432:335): avc:  granted  
{ setenforce } for  pid=4383 comm="setenforce" scontex
t=root:system_r:unconfined_t:s0-s0:c0.c255 
tcontext=system_u:object_r:security_t:s0 tclass=security
Apr 24 19:01:29 diablo gconfd (root-4406): starting (version 2.14.0), 
pid 4406 user 'root'
Apr 24 19:01:29 diablo gconfd (root-4406): Resolved address 
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only config
uration source at position 0
Apr 24 19:01:29 diablo gconfd (root-4406): Resolved address 
"xml:readwrite:/root/.gconf" to a writable configuration source at
position 1
Apr 24 19:01:29 diablo gconfd (root-4406): Resolved address 
"xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configu
ration source at position 2
Apr 24 19:02:29 diablo gconfd (root-4406): GConf server is not in use, 
shutting down.
Apr 24 19:02:29 diablo gconfd (root-4406): Exiting

>You might also try my Java HOWTO:
>http://www.city-fan.org/tips/JpackageJava

I'll take a look at that.  But first I've got to get logrotate to rotate 
the friggin log, it must be a megabyte or more.  No, actually its 
rapidly approaching 4 megs, dateing back to when I installed FC5 I 
think.  4/16

WTF is this?
[root@diablo etc]# cron.daily/logrotate
error: freshclam:8 unknown user 'clamav'

and it dies instantly.  This is getting frustrating.  According to that 
log I had yum install clamav on the 20th.  If clamav needs a user 
clamav, why the heck didn't make one?  In any event, a yum remove 
clamav fixed that, and logrotate ran normally this time.

Back to a printout of the above link.  I expect to be back.



>
>> >As a matter of interest, a lot of libraries need this treatment;
>> > you can see the ones SELinux already knows about as follows:
>> >
>> ># semanage fcontext -l | grep textrel
>>
>> here, thats VERY limited
>>
>> [root@diablo ~]# semanage fcontext -l |grep texrel
>> /usr(/.*)?/intellinux/plug_ins/.*\.api             regular file
>> system_u:object_r:texrel_shlib_t:s0
>> /usr(/.*)?/intellinux/nppdf\.so                    regular file
>> system_u:object_r:texrel_shlib_t:s0
>> /usr/lib(64)?/libsipphoneapi\.so.*                 regular file
>> system_u:object_r:texrel_shlib_t:s0
>> /usr(/.*)?/intellinux/lib/\.so                     regular file
>> system_u:object_r:texrel_shlib_t:s0
>
>You'll get a much bigger list using "textrel" instead of "texrel".
>
Correct, very voluminous now.

>> Looking in the firefox plugins dir after installing j2se-1.5.0.6 and
>> copying the ns7 version of the libhavaplugins.so
>> to /usr/lib/firefox-version/plugins I see:
>>
>> [root@diablo plugins]# ls -lZ
>> -rwxr-xr-x  root     root     root:object_r:lib_t
>> libjavaplugin_oji.so
>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>> libnullplugin.so
>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>> libunixprintplugin.so
>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>> nppdf.so
>>
>> Now, maybe I'm slow this morning, but my reading of the semanage
>> manpage makes no mention of setting a 'default' that a relabel will
>> leave alone.
>
>Using semanage you can change policy for file contexts amongst other
>things. This affects the contexts applied to files using restorecon
> etc.
>
>> I've used chcon to set libjavaplugin_oji.so to textrel_shlib_t,
>>
>> root@diablo plugins]# ls -lZ
>> -rwxr-xr-x  root     root     root:object_r:textrel_shlib_t
>> libjavaplugin_oji.so
>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>> libnullplugin.so
>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>> libunixprintplugin.so
>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>> nppdf.so
>>
>> but how do I change it from root: to system_u:?  (I'm assuming that
>> will allow all users as opposed to just root to use it)
>
>The "root" doesn't matter. In targeted policy you only need worry
> about the type, not the user.
>
>If you really want to change it though, try:
>
># chcon system_u:object_r:textrel_shlib_t libjavaplugin_oji.so
>
>> And FWIW, This change did not enable java in the firefox plugins
>> listings.
>>
>> And how do we make it permanent in the face of another relabel?
>
>Something like this should work:
>
># semanage fcontext -a -f -- -t textrel_shlib_t \
> '/usr/lib(64)?/firefox.*/plugins/.*\.so'
[root@diablo etc]# semanage fcontext -a -f -- -t textrel_shlib_t \
 '/usr/lib(64)?/firefox.*/plugins/.*\.so'
-bash: /usr/lib(64)?/firefox.*/plugins/.*\.so: No such file or directory

So I went directly to the /usr/lib/firefox-1.5.0.2/plugins dir, stripped 
the path off that command and reran it, and it did change the perms but 
didn't make firefox show me any java stuff in about:plugins.  And it 
logged nothing when I ran firefox.

Thats a real copy of that library, not a link, should that effect it?  
And a setenforce 0 was in effect too.  Just to test I reset setenforce 
to 1, and did a reload on the about:plugins, nothing in the log.

So this would not appear to be just yet, an selinux issue.  So I'll 
chase on down through your tutorial, playing this tune one note at a 
time.



>Paul.

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux