Selinux attacks acroread again
Paul Howarth
paul at city-fan.org
Thu Apr 13 11:11:53 UTC 2006
Paul Smith wrote:
> On 4/13/06, Paul Howarth <paul at city-fan.org> wrote:
>>> Thanks, Paul. Done so and subsequently:
>>>
>>> # chcon -t texrel_shlib_t
>>> /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so
>>> # chcon -t texrel_shlib_t
>>> /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libCoolType.so
>>>
>>> Acroread shows up, but reporting errors while loading a bunch of
>>> plugins. Any ideas?
>> Did you do:
>>
>> /usr/sbin/semanage fcontext -a -t textrel_shlib_t \
>> '/usr/local/Adobe/Acrobat7.0/Reader/intellinux/SPPlugins/.*\.apl'
>>
>> /usr/sbin/semanage fcontext -a -t textrel_shlib_t \
>> '/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/.*\.api'
>>
>> before the restorecon?
>>
>> What's the output of:
>>
>> $ ls -lZ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/*/*.ap*
>
> Yes, I did that before restorecon.
>
> # ls -lZ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/*/
> *.ap*
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/Accessibility.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/Annots.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/checkers.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/DigSig.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/EFS.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/EScript.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/ewh.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/LegalPDF.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/MakeAccessible.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/PDDom.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/PPKLite.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/SaveAsRTF.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/SearchFind.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/SendMail.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/SOAP.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/Spelling.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/plug_ins/wwwlink.api
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/local/Adobe
> /Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl
They all look ok; does it work with SELinux in permissive mode?
Try:
# setenforce 0
If it still doesn't work, the problem's not SELinux.
If it does, look for the SELinux denials in /var/log/messages or
/var/log/audit/audit.log
# setforce 1
will turn enforcing mode back on.
Paul.
More information about the fedora-list
mailing list