Bug 187619 - selinux does not allow firefox plugin for Adobe Reader nppdf.so to run
selinux does not allow firefox plugin for Adobe Reader nppdf.so to run
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-01 18:00 EST by John Griffiths
Modified: 2007-12-21 18:02 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.6.4-60.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-21 18:02:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Griffiths 2006-04-01 18:00:26 EST
Description of problem:
firefox plugin for Adobe Reader nppdf.so will not run.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Install Adobe Reader plugin (nppdf.so) in firefox.
2. Disable mozplugger from running pdf applications if installed
3. Run firefox
4. check plugins using about:plugins
5. Adobe Reader is not listed.
  
Actual results:
Adobe Reader is not listed. pdf files cannot be opened with Adobe Reader.

Expected results:
Adobe Reader should be listed. pdf files should be opened with Adobe Reader.


Additional info:
This can be worked around by using:
    chcon -t textrel_shlib_t nppdf.so
in the firefox plugins directory.
Comment 1 Fred New 2006-04-02 15:40:49 EDT
Adobe Reader 7.0.5 is running on my FC5 system both as a Firefox plugin and for
reading local PDF files.  My current policy is selinux-policy-targeted-2.2.25-3.fc5.

After installing the AdobeReader_enu RPM, I ran the install_browser_plugin
script in /usr/local/Adobe/Acrobat7.0/Browser, which essentially does a
     cp /usr/local/Adobe/Acrobat7.0/Browser/intellinux/nppdf.so \
        /usr/lib/mozilla/plugins
Then I made sure the context was set correctly with
     restorecon /usr/lib/mozilla/plugins/nppdf.so
But this doesn't look like it changes much with the current policy.  Right now,
the nppdf.so file is labeled "user_u:object_r:lib_t".  I believe its type was
textrel_shlib_t with the previous policy.

I had to turn on the allow_execmod boolean to get the acroread program to work
with local PDF files:
     setsebool -P allow_execmod 1

And a minute ago, I confirmed that the Firefox plugin and acroread are both
working with the current targeted policy.  I usually test the plugin by going to
www.irs.gov and viewing the 1040 form - easy to remember. :-)
Comment 2 Fred New 2006-04-02 16:42:24 EDT
Oops, sorry, I didn't read John's last paragraph.  It looks like the
allow_execmod boolean was working around the problem on my system.

In the meantime, I have found that
    restorecon /usr/lib/mozilla/plugins/nppdf.so
sets a type of textrel_shlib_t with both
     selinux-policy-targeted-2.2.25-3.fc5 and
     selinux-policy-targeted-2.2.25-2.fc5.
But I don't think you can get acroread to work without the boolean change,
unless you change a lot more library files to textrel_shlib_t.
Comment 3 John Griffiths 2006-04-02 21:01:57 EDT
That is covered in Bugzilla 187596
Comment 4 Daniel Walsh 2006-04-03 11:27:45 EDT
fixed in selinux-policy-2.2.29-2.fc5
Comment 5 John Griffiths 2006-04-09 23:42:02 EDT
When is selinux-policy-2.2.29-2.fc5 going to be available. I have tried using
yum update and it does not update the policy.
Comment 6 John Griffiths 2006-04-10 08:48:03 EDT
Duh. I found it in the development repo.

I had relabled the files using chcon. After installing selinux-policy.noarch
0:2.2.29-4 which is the current in development, niether acroread or the Firefox
plugin, nppdf.so, worked.

Also, I found that just doing chcon on nppdf.so does not work unless the context
for all the Adobe reader libs and api have had their context changed.
Comment 7 John Griffiths 2006-04-10 18:13:16 EDT
Forgot to post that I have the tar ball installed and not the rpm from RedHat,
so Firefox is in /usr/local/firefox .
Comment 9 Daniel Walsh 2006-05-05 11:02:22 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed
Comment 10 John Griffiths 2006-05-08 11:48:32 EDT
This may be fixed if using the distro firefox rpm. I cannot confirm or deny.

This is not fixed in the current policy if the install from Mozilla for Firefox
is used instead of the distro rpm. The common place to put the plugins is in
/usr/local/firefox/plugins when using the Mozilla distribution.

Currently using selinux-policy-2.2.34-3.fc5

Close again if the non rpm location is not going to be fixed. If it is not going
to be fixed in the non rpm location, then I think a FAQ note to what to do for
Firefox plugins that reside in /usr/local/firefox/plugins.
Comment 11 Daniel Walsh 2006-05-08 15:25:37 EDT
Fixed in selinux-policy-2.2.38-1.fc5
Comment 12 John Griffiths 2006-05-08 16:15:01 EDT
Where is selinux-policy-2.2.38-1.fc5?

Newest I can find with yum is 
selinux-policy.noarch                    2.2.37-1               development
Comment 13 Daniel Walsh 2006-05-09 09:08:04 EDT
Should be in fedora testing tonight.
Comment 14 Orion Poplawski 2007-11-07 16:47:00 EST
New adobe reader 8.1.1 package is out for Linux, with yet another location for
nppdf.so:

/opt/Adobe/Reader8/Browser/intellinux/nppdf.so

At least now Firefox will launch a separate acroread process if the plugin fails.
Comment 15 Daniel Walsh 2007-11-07 17:09:01 EST
Fixed in selinux-policy-3.0.8-47.fc8.src.rpm
Comment 16 Daniel Walsh 2007-11-07 17:24:34 EST
Should say 48 not 47
Comment 17 Orion Poplawski 2007-11-08 11:32:32 EST
Can we get this fixed in F7 too?
Comment 18 Daniel Walsh 2007-11-08 16:07:25 EST
Fixed in 2.6.4-55.fc7
Comment 19 Orion Poplawski 2007-11-19 11:28:42 EST
(In reply to comment #18)
> Fixed in 2.6.4-55.fc7

Really?

# rpm -q selinux-policy
selinux-policy-2.6.4-57.fc7
# restorecon -r -v /opt/Adobe/
# ls -lZ /opt/Adobe/Reader8/Browser/intellinux/nppdf.so
-rwxr-xr-x  root root system_u:object_r:usr_t
/opt/Adobe/Reader8/Browser/intellinux/nppdf.so
Comment 20 Daniel Walsh 2007-11-19 12:15:37 EST
That is strange.


grep Adobe /etc/selinux/targeted/contexts/files/*
Comment 21 Orion Poplawski 2007-11-19 12:22:31 EST
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/.*\.api 
--      system_u:object_r:textrel_shlib_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so
--      system_u:object_r:textrel_shlib_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/*
       --      system_u:object_r:textrel_shlib_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)*
     --      system_u:object_r:textrel_shlib_t:s0

# rpm -Va selinux-policy\*
#
Comment 22 Daniel Walsh 2007-11-26 11:46:51 EST
Fixed in selinux-policy-2.6.4-59.fc7
Comment 23 Orion Poplawski 2007-12-06 11:57:19 EST
Indeed, but:

  Updating  : selinux-policy-targeted      ######################### [2/4]
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications
for /opt/Adobe(/.*?)/nppdf\.so.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications
for /opt/Adobe(/.*?)/nppdf\.so.


Line is duplicated in file_contexts.
Comment 24 Daniel Walsh 2007-12-06 13:40:23 EST
Yes I fixed this in selinux-policy-2.6.4-60.fc7

Note You need to log in before you can comment on or make changes to this bug.