Selinux attacks acroread again

Paul Howarth paul at city-fan.org
Thu Apr 13 11:47:28 UTC 2006 

Paul Smith wrote:
> On 4/13/06, Paul Howarth <paul at city-fan.org> wrote:
>>>>> Thanks, Paul. Done so and subsequently:
>>>>>
>>>>> # chcon -t texrel_shlib_t
>>>>> /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so
>>>>> # chcon -t texrel_shlib_t
>>>>> /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libCoolType.so
>>>>>
>>>>> Acroread shows up, but reporting errors while loading a bunch of
>>>>> plugins. Any ideas?
>>>> Did you do:
>>>>
>>>> /usr/sbin/semanage fcontext -a -t textrel_shlib_t \
>>>> '/usr/local/Adobe/Acrobat7.0/Reader/intellinux/SPPlugins/.*\.apl'
>>>>
>>>> /usr/sbin/semanage fcontext -a -t textrel_shlib_t \
>>>> '/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/.*\.api'
>>>>
>>>> before the restorecon?
>>>>
>>>> What's the output of:
>>>>
>>>> $ ls -lZ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/*/*.ap*
>>> Yes, I did that before restorecon.
>>>
>>> # ls -lZ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/*/
>>> *.ap*
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/Accessibility.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/Annots.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/checkers.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/DigSig.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/EFS.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/EScript.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/ewh.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/LegalPDF.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/MakeAccessible.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/PDDom.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/PPKLite.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/SaveAsRTF.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/SearchFind.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/SendMail.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/SOAP.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/Spelling.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/plug_ins/wwwlink.api
>>> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t
>>> /usr/local/Adobe
>>> /Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl
>> They all look ok; does it work with SELinux in permissive mode?
>>
>> Try:
>> # setenforce 0
>>
>> If it still doesn't work, the problem's not SELinux.
>>
>> If it does, look for the SELinux denials in /var/log/messages or
>> /var/log/audit/audit.log
>>
>> # setforce 1
>> will turn enforcing mode back on.
> 
> Yes, 'setenforce 0' does make a difference. How can I quickly do the
> suggested inspection into var/log/messages and
> /var/log/audit/audit.log?

Try:

# grep -F 'avc:  denied' /var/log/audit/audit.log /var/log/messages

Note that there are two spaces between "avc:" and "denied".

This will probably produce a lot of output. Please try to trim it down 
the last bits that appear relevant to the problem.

Paul.

More information about the fedora-list mailing list