firefox3beta and selinux
Daniel J Walsh
dwalsh at redhat.com
Sat Feb 2 03:38:14 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Dear all,
>
> When I try out the new firefox, setroubleshoot browser
> tells me
>
> \begin{QUOTE}
>
> Summary:
>
> SELinux is preventing firefox from making the program
> stack executable.
>
> Detailed Description:
>
> The firefox application attempted to make its stack
> executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If firefox does not work
> and you need it to work,
> you can configure SELinux temporarily to allow this
> access until the application
> is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Allowing Access:
>
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust firefox to
> run correctly, you can change the context of the
> executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/lib/firefox-3.0b3pre/firefox'" You must also
> change the default file
> context files on the system in order to preserve them
> even on a full relabel.
> "semanage fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.0b3pre/firefox'"
>
> The following command will allow this access:
>
> chcon -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.0b3pre/firefox'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source firefox
> Source Path
> /usr/lib/firefox-3.0b3pre/firefox
> Port <Unknown>
> Host localhost
> Source RPM Packages
> firefox-3.0-0.beta2.15.nightly20080130.fc9
> Target RPM Packages
> Policy RPM
> selinux-policy-3.2.5-24.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execstack
> Host Name localhost
> Platform Linux localhost
> 2.6.24-9.fc9 #1 SMP Tue Jan 29
> 18:08:15 EST 2008 i686
> athlon
> Alert Count 2
> First Seen Fri 01 Feb 2008 05:08:54
> PM CST
> Last Seen Fri 01 Feb 2008 05:08:54
> PM CST
> Local ID
> c4806f30-a6dc-43b0-8901-5531075795f7
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost type=AVC msg=audit(1201907334.440:23):
> avc: denied { execstack } for pid=2743
> comm="firefox"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> host=localhost type=SYSCALL
> msg=audit(1201907334.440:23): arch=40000003
> syscall=125 success=no exit=-13 a0=bfd47000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=2729 pid=2743
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
> exe="/usr/lib/firefox-3.0b3pre/firefox"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
>
>
> \end{QUOTE}
>
> I have done this two or three time so that I can use
> firefox-beta 3, is this by design or will it
> eventually be incorporated.
>
> If I decide to file a bug report, should it be against
> firefox, selinux-policy?
>
> see here
> ----------
> The firefox application attempted to make its stack
> executable. This is a potential security problem. This
> should never ever be necessary. Stack memory is not
> executable on most OSes these days and this will not
> change. Executable stack memory is one of the biggest
> security problems. An execstack error might in fact be
> most likely raised by malicious code. Applications are
> sometimes coded incorrectly and request this
> permission. The SELinux Memory Protection Tests web
> page explains how to remove this requirement. If
> firefox does not work and you need it to work, you can
> configure SELinux temporarily to allow this access
> until the application is fixed. Please file a bug
> report against this package.
>
>
firefox. It is doing something that it should not do and is quite
dangerous.
> Thanks,
>
> Antonio
>
>
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkej5aYACgkQrlYvE4MpobMgvwCfYPpUZfHbLlZTm6zYGT5x+rmE
CDAAn2y7SjdnAR0SWYjPl15TsS35svk8
=pzlp
-----END PGP SIGNATURE-----
More information about the fedora-test-list
mailing list