Bug 187619 - selinux does not allow firefox plugin for Adobe Reader nppdf.so to run
Summary: selinux does not allow firefox plugin for Adobe Reader nppdf.so to run
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 7
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-01 23:00 UTC by John Griffiths
Modified: 2007-12-21 23:02 UTC (History)
2 users (show)

Fixed In Version: 2.6.4-60.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-21 23:02:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description John Griffiths 2006-04-01 23:00:26 UTC
Description of problem:
firefox plugin for Adobe Reader nppdf.so will not run.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Install Adobe Reader plugin (nppdf.so) in firefox.
2. Disable mozplugger from running pdf applications if installed
3. Run firefox
4. check plugins using about:plugins
5. Adobe Reader is not listed.
  
Actual results:
Adobe Reader is not listed. pdf files cannot be opened with Adobe Reader.

Expected results:
Adobe Reader should be listed. pdf files should be opened with Adobe Reader.


Additional info:
This can be worked around by using:
    chcon -t textrel_shlib_t nppdf.so
in the firefox plugins directory.

Comment 1 Fred New 2006-04-02 19:40:49 UTC
Adobe Reader 7.0.5 is running on my FC5 system both as a Firefox plugin and for
reading local PDF files.  My current policy is selinux-policy-targeted-2.2.25-3.fc5.

After installing the AdobeReader_enu RPM, I ran the install_browser_plugin
script in /usr/local/Adobe/Acrobat7.0/Browser, which essentially does a
     cp /usr/local/Adobe/Acrobat7.0/Browser/intellinux/nppdf.so \
        /usr/lib/mozilla/plugins
Then I made sure the context was set correctly with
     restorecon /usr/lib/mozilla/plugins/nppdf.so
But this doesn't look like it changes much with the current policy.  Right now,
the nppdf.so file is labeled "user_u:object_r:lib_t".  I believe its type was
textrel_shlib_t with the previous policy.

I had to turn on the allow_execmod boolean to get the acroread program to work
with local PDF files:
     setsebool -P allow_execmod 1

And a minute ago, I confirmed that the Firefox plugin and acroread are both
working with the current targeted policy.  I usually test the plugin by going to
www.irs.gov and viewing the 1040 form - easy to remember. :-)

Comment 2 Fred New 2006-04-02 20:42:24 UTC
Oops, sorry, I didn't read John's last paragraph.  It looks like the
allow_execmod boolean was working around the problem on my system.

In the meantime, I have found that
    restorecon /usr/lib/mozilla/plugins/nppdf.so
sets a type of textrel_shlib_t with both
     selinux-policy-targeted-2.2.25-3.fc5 and
     selinux-policy-targeted-2.2.25-2.fc5.
But I don't think you can get acroread to work without the boolean change,
unless you change a lot more library files to textrel_shlib_t.

Comment 3 John Griffiths 2006-04-03 01:01:57 UTC
That is covered in Bugzilla 187596

Comment 4 Daniel Walsh 2006-04-03 15:27:45 UTC
fixed in selinux-policy-2.2.29-2.fc5

Comment 5 John Griffiths 2006-04-10 03:42:02 UTC
When is selinux-policy-2.2.29-2.fc5 going to be available. I have tried using
yum update and it does not update the policy.

Comment 6 John Griffiths 2006-04-10 12:48:03 UTC
Duh. I found it in the development repo.

I had relabled the files using chcon. After installing selinux-policy.noarch
0:2.2.29-4 which is the current in development, niether acroread or the Firefox
plugin, nppdf.so, worked.

Also, I found that just doing chcon on nppdf.so does not work unless the context
for all the Adobe reader libs and api have had their context changed.

Comment 7 John Griffiths 2006-04-10 22:13:16 UTC
Forgot to post that I have the tar ball installed and not the rpm from RedHat,
so Firefox is in /usr/local/firefox .

Comment 9 Daniel Walsh 2006-05-05 15:02:22 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Comment 10 John Griffiths 2006-05-08 15:48:32 UTC
This may be fixed if using the distro firefox rpm. I cannot confirm or deny.

This is not fixed in the current policy if the install from Mozilla for Firefox
is used instead of the distro rpm. The common place to put the plugins is in
/usr/local/firefox/plugins when using the Mozilla distribution.

Currently using selinux-policy-2.2.34-3.fc5

Close again if the non rpm location is not going to be fixed. If it is not going
to be fixed in the non rpm location, then I think a FAQ note to what to do for
Firefox plugins that reside in /usr/local/firefox/plugins.

Comment 11 Daniel Walsh 2006-05-08 19:25:37 UTC
Fixed in selinux-policy-2.2.38-1.fc5

Comment 12 John Griffiths 2006-05-08 20:15:01 UTC
Where is selinux-policy-2.2.38-1.fc5?

Newest I can find with yum is 
selinux-policy.noarch                    2.2.37-1               development


Comment 13 Daniel Walsh 2006-05-09 13:08:04 UTC
Should be in fedora testing tonight.

Comment 14 Orion Poplawski 2007-11-07 21:47:00 UTC
New adobe reader 8.1.1 package is out for Linux, with yet another location for
nppdf.so:

/opt/Adobe/Reader8/Browser/intellinux/nppdf.so

At least now Firefox will launch a separate acroread process if the plugin fails.

Comment 15 Daniel Walsh 2007-11-07 22:09:01 UTC
Fixed in selinux-policy-3.0.8-47.fc8.src.rpm


Comment 16 Daniel Walsh 2007-11-07 22:24:34 UTC
Should say 48 not 47

Comment 17 Orion Poplawski 2007-11-08 16:32:32 UTC
Can we get this fixed in F7 too?

Comment 18 Daniel Walsh 2007-11-08 21:07:25 UTC
Fixed in 2.6.4-55.fc7

Comment 19 Orion Poplawski 2007-11-19 16:28:42 UTC
(In reply to comment #18)
> Fixed in 2.6.4-55.fc7

Really?

# rpm -q selinux-policy
selinux-policy-2.6.4-57.fc7
# restorecon -r -v /opt/Adobe/
# ls -lZ /opt/Adobe/Reader8/Browser/intellinux/nppdf.so
-rwxr-xr-x  root root system_u:object_r:usr_t
/opt/Adobe/Reader8/Browser/intellinux/nppdf.so


Comment 20 Daniel Walsh 2007-11-19 17:15:37 UTC
That is strange.


grep Adobe /etc/selinux/targeted/contexts/files/*


Comment 21 Orion Poplawski 2007-11-19 17:22:31 UTC
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/.*\.api 
--      system_u:object_r:textrel_shlib_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so
--      system_u:object_r:textrel_shlib_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/*
       --      system_u:object_r:textrel_shlib_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)*
     --      system_u:object_r:textrel_shlib_t:s0

# rpm -Va selinux-policy\*
#

Comment 22 Daniel Walsh 2007-11-26 16:46:51 UTC
Fixed in selinux-policy-2.6.4-59.fc7

Comment 23 Orion Poplawski 2007-12-06 16:57:19 UTC
Indeed, but:

  Updating  : selinux-policy-targeted      ######################### [2/4]
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications
for /opt/Adobe(/.*?)/nppdf\.so.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications
for /opt/Adobe(/.*?)/nppdf\.so.


Line is duplicated in file_contexts.

Comment 24 Daniel Walsh 2007-12-06 18:40:23 UTC
Yes I fixed this in selinux-policy-2.6.4-60.fc7


Note You need to log in before you can comment on or make changes to this bug.