SELinux and NSS [was: Problem with NSS update - Firefox, Evolution]

Jonathan Berry berryja at gmail.com
Sat Jan 28 20:49:32 UTC 2006


On 1/28/06, Jonathan Berry <berryja at gmail.com> wrote:
> On 1/28/06, Jonathan Berry <berryja at gmail.com> wrote:
> > Hi all,
> >
> > I just installed FC5T2 x86_64 to test it out.  Install went smoothly
> > and I just finished up all the updates.   I seem to be having an issue
> > with the NSS update:
> > # grep -i nss /var/log/yum.log
> > Jan 28 00:06:03 Updated: nss.x86_64 3.11-3
> > Jan 28 00:07:25 Updated: nss.i386 3.11-3
> > Jan 28 00:20:14 Updated: nss_ldap.i386 248-1
> > Jan 28 00:20:18 Updated: nss_ldap.x86_64 248-1
> >
> > I have seen two symptoms of some problem thus far in Firefox and
> > Evolution.  Firefox starts with a warning that it could not initialize
> > the security component (something to that effect) and gives some
> > statement that it could be a file permissions problem in the profile
> > directory.  Perms look to be okay in ~/.mozilla/firefox/ and I get no
> > SELinux or other messages.  Evolution flat refuses to run.  The
> > problem is more apparent from the command line:
> > $ evolution
> > (evolution:3437): evolution-smime-WARNING **: Failed all methods for
> > initializing NSS
> > (evolution:3437): camel-WARNING **: Failed to initialize NSS
> >
> > Any ideas?  Time for a bugzilla entry? (probably after I sleep some...)
>
> More information...
>
> I just tried reinstalling the original nss pacakges and I am still
> having issues.  Firefox gives the security warning and will not do any
> ssl stuff (not good!) and evolution will not start.
> $ rpm -qa nss{,_ldap}
> nss_ldap-244-2.1.x86_64
> nss-3.11-2.x86_64
> nss_ldap-244-2.1.i386
> nss-3.11-2.i386
>
> I've tried rebooting and even booting the original kernel and get the
> same results.  Is anyone else seeing this?

Okay, well, I keep responding to myself...

This now seems to be related to SELinux somehow.  If I issue a
"setenforce 0" command, then Firefox and SSL work just fine, Evolution
starts, and all is well.  With enforcing disabled, when I start
Firefox or Evolution, I get some "avc:  granted  { execmem }" messages
in audit.log relating to the programs.  Unfortunately, I do not get
any failure or otherwise messages in audit.log when SELinux is on. 
FC5T2 x86_64 fully updated as of today.
$  rpm -qa | grep selinux
libselinux-devel-1.29.6-1.x86_64
libselinux-python-1.29.6-1.x86_64
selinux-policy-2.2.8-1.noarch
selinux-policy-targeted-2.2.8-1.noarch
libselinux-1.29.6-1.x86_64
libselinux-1.29.6-1.i386

Below I will post the AVC messages that I get when starting Evolution
and Firefox with SELinux off.  I do not get any messages with SELinux
enabled (ie, enforcing).  I'll also give the ls -Z output for the NSS
stuff.  Is no one else seeing this?  Should I go ahead and bugzilla
this (now that I can actually access https, heh)?

Jonathan

Lots of info follows.

$ ls -Z `rpm -ql nss`
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libfreebl3.chk
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libfreebl3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libnss3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libnssckbi.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libsmime3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libsoftokn3.chk
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libsoftokn3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib64/libssl3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libfreebl3.chk
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libfreebl3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libnss3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libnssckbi.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libsmime3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libsoftokn3.chk
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libsoftokn3.so
-rw-r--r--  root     root     system_u:object_r:lib_t         
/usr/lib/libssl3.so

$ ls -Z `rpm -ql nss_ldap`
-rw-r--r--  root     root     system_u:object_r:etc_t          /etc/ldap.conf
-rw-r--r--  root     root     system_u:object_r:etc_t          /etc/ldap.conf
-rwxr-xr-x  root     root     system_u:object_r:lib_t         
/lib64/libnss_ldap-2.3.90.so
lrwxrwxrwx  root     root     system_u:object_r:lib_t         
/lib64/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so
-rwxr-xr-x  root     root     system_u:object_r:lib_t         
/lib64/security/pam_ldap.so
-rwxr-xr-x  root     root     system_u:object_r:lib_t         
/lib/libnss_ldap-2.3.90.so
lrwxrwxrwx  root     root     system_u:object_r:lib_t         
/lib/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so
-rwxr-xr-x  root     root     system_u:object_r:lib_t         
/lib/security/pam_ldap.so
lrwxrwxrwx  root     root     system_u:object_r:lib_t         
/usr/lib64/libnss_ldap.so -> ../../lib64/libnss_ldap.so.2
lrwxrwxrwx  root     root     system_u:object_r:lib_t         
/usr/lib/libnss_ldap.so -> ../../lib/libnss_ldap.so.2
[... snip tons more files with perms: -rw-r--r--  root     root    
system_u:object_r:usr_t]

I get the following AVC messages when starting Evolution with SELinux off:
type=AVC msg=audit(1138480597.454:108): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.454:108): arch=c000003e syscall=10
success=yes exit=0 a0=7fffffce9000 a1=1000 a2=1000007 a3=4
 items=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe=
"/usr/bin/evolution-2.6"
type=AVC msg=audit(1138480597.558:109): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.558:109): arch=c000003e syscall=9
success=yes exit=1073741824 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480597.590:110): avc:  granted  { execmem } for
 pid=3761 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.590:110): arch=c000003e syscall=9
success=yes exit=1084231680 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3761 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480597.630:111): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.630:111): arch=c000003e syscall=9
success=yes exit=1094721536 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480598.770:112): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480598.770:112): arch=c000003e syscall=9
success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480598.878:113): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480598.878:113): arch=c000003e syscall=9
success=yes exit=1115701248 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"

I get the following AVC messages when starting Firefox with SELinux off:
type=AVC msg=audit(1138480668.242:114): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:114): arch=c000003e syscall=10
success=yes exit=0 a0=7fffffa74000 a1=1000 a2=1000007 a3=4 items=0
pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:115): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:115): arch=c000003e syscall=10
success=yes exit=0 a0=41403000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:116): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:116): arch=c000003e syscall=10
success=yes exit=0 a0=40a02000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:117): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:117): arch=c000003e syscall=10
success=yes exit=0 a0=40001000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.502:118): avc:  granted  { execmem } for
 pid=3803 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.502:118): arch=c000003e syscall=9
success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items=0 pid=3803
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"




More information about the fedora-test-list mailing list