firefox3beta and selinux

Antonio Olivares olivares14031 at yahoo.com
Fri Feb 1 23:18:48 UTC 2008 

Dear all,

When I try out the new firefox, setroubleshoot browser
tells me

\begin{QUOTE}

Summary:

SELinux is preventing firefox from making the program
stack executable.

Detailed Description:

The firefox application attempted to make its stack
executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If firefox does not work
and you need it to work,
you can configure SELinux temporarily to allow this
access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Allowing Access:

Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust firefox to
run correctly, you can change the context of the
executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'" You must also
change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'

Additional Information:

Source Context               
unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context               
unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        firefox
Source Path                  
/usr/lib/firefox-3.0b3pre/firefox
Port                          <Unknown>
Host                          localhost
Source RPM Packages          
firefox-3.0-0.beta2.15.nightly20080130.fc9
Target RPM Packages           
Policy RPM                   
selinux-policy-3.2.5-24.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     localhost
Platform                      Linux localhost
2.6.24-9.fc9 #1 SMP Tue Jan 29
                              18:08:15 EST 2008 i686
athlon
Alert Count                   2
First Seen                    Fri 01 Feb 2008 05:08:54
PM CST
Last Seen                     Fri 01 Feb 2008 05:08:54
PM CST
Local ID                     
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1201907334.440:23):
avc:  denied  { execstack } for  pid=2743
comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process

host=localhost type=SYSCALL
msg=audit(1201907334.440:23): arch=40000003
syscall=125 success=no exit=-13 a0=bfd47000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2729 pid=2743
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
exe="/usr/lib/firefox-3.0b3pre/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)



\end{QUOTE}

I have done this two or three time so that I can use
firefox-beta 3, is this by design or will it
eventually be incorporated.  

If I decide to file a bug report, should it be against
firefox, selinux-policy?

see here
----------
The firefox application attempted to make its stack
executable. This is a potential security problem. This
should never ever be necessary. Stack memory is not
executable on most OSes these days and this will not
change. Executable stack memory is one of the biggest
security problems. An execstack error might in fact be
most likely raised by malicious code. Applications are
sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests web
page explains how to remove this requirement. If
firefox does not work and you need it to work, you can
configure SELinux temporarily to allow this access
until the application is fixed. Please file a bug
report against this package. 


Thanks,

Antonio 


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the fedora-selinux-list mailing list