How can firefox (sometimes) make memory executable?
by Göran Uddeborg
After upgrading to the Firefox 4 of Fedora 15, Firefox crashes
immediately on startup. I get an AVC about execmem being denied. I
run with allow_execmem disabled. (Audit details below.) I used
strace and gdb and found out that this happens in a file called
xulrunner-2.0.1/mozilla-2.0/js/src/assembler/jit/ExecutableAllocateorPosix.cpp
where it does
void* allocation = mmap(NULL, n, INITIAL_PROTECTION_FLAGS, MAP_PRIVATE | MAP_ANON, VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY, 0);
The definition of INITIAL_PROTECTION_FLAGS is
PROT_READ|PROT_WRITE|PROT_EXEC which indeed looks like something
that would be disallowed without allow_execmem.
To make more mysterious, on a different system where we have an fresh
installation of Fedora 15, not updated from earlier versions, firefox
DO work. It does so even if I turn off allow_execmem. And when I
check /proc/*/maps for the firefox process, there are several
anonymous regions with "rwxp" permission.
How can it do that? What is it that allows the firefox on the freshly
installed F15 system allocate executable and writeable pages? If I
knew, maybe I would know what am I missing on the upgraded system?
================================================================
node=mimmi type=AVC msg=audit(1308408766.500:147502): avc: denied {
execmem } for pid=23119 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process node=mimmi type=SYSCALL
msg=audit(1308408766.500:147502): arch=c000003e syscall=9 success=no
exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=23116 pid=23119
auid=918 uid=918 gid=918 euid=918 suid=918 fsuid=918 egid=918 sgid=918
fsgid=918 tty=pts1 ses=9147 comm="firefox"
exe="/usr/lib64/firefox-4/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
12 years, 10 months
Re: TS under SELinux policy
by Marcos Ortiz Valmaseda
On 06/16/2011 10:58 AM, Igor Galić wrote:
>
> ----- Original Message -----
>> On 06/16/2011 06:04 AM, Jan-Frode Myklebust wrote:
>>
>> On Wed, Jun 15, 2011 at 05:08:49PM -0430, Marcos Ortiz wrote:
>>
>> Regards to all the list
>> I was wondering if any of you have deployed Traffic Server under
>> SELinux ´s policies?
>> If it´s true, Where I can find the work? I don't know if it's been
>> done, but I intend to build a policy
>> for it together with the fedora/EPEL package, and try to push it
>> upstream to the reference policy.
>>
>>
>> -jf Dominick Grift ( domg472(a)gmail.com ) and me will want to
>> help to this development, precisely under Fedora. Can you
>> explain to us the basic workflow of TS?
>> Thanks a lot
> I don't think it'll be that straightforward to create such a policy
> for TS, because it's got quite a complex work-flow.
>
> igalic@pheme ~ % ps -cafe | grep -i traffic[_]
> root 311 1 TS 19 Jun06 ? 00:00:59 /usr/bin/traffic_cop
> nobody 750 311 TS 19 Jun06 ? 00:10:17 /usr/bin/traffic_manager
> nobody 961 750 TS 19 Jun06 ? 05:29:24 /usr/bin/traffic_server -M -A,7:X
> igalic@pheme ~ % getpcaps 311 750 961
> Capabilities for `311': =ep
> Capabilities for `750': =p cap_net_bind_service,cap_net_admin,cap_ipc_lock+e
> Capabilities for `961': = cap_net_bind_service,cap_net_admin,cap_ipc_lock+ep
> igalic@pheme ~ %
>
>
> * traffic_cop is started as root
> * it creates /var/trafficserver/run/cop.lock and writes its PID inside
> * it attempts to start traffic_manager
>
> * traffic_manager is started as "nobody" but inherits the Capabilities from the parent
> * it creates /var/trafficserver/run/manager.lock and writes its PID inside
> * it binds to port 80 and 443, then drops privileges (see above.)
> * it creates /var/trafficserver/logs/manager.log and /var/trafficserver/logs/traffic.out
> * it creates several sockets in /var/trafficserver/run/
> * it attempts to start traffic_server
>
> * traffic_server is started as "nobody"
> * it opens /var/trafficserver/run/server.lock and writes its PID inside
> * it opens /var/trafficserver/logs/{diags,error}.log and /var/trafficserver/logs/squid.blog
> * it opens /var/trafficserver/cache/host.db
> * depending on your storage.config it will then open the index, in my case these are
> - the disk devices /dev/vde and /dev/vdf
>
> This is a simple startup of a single node. It should look the same in both,
> forward proxy and reverse proxy mode.
>
> If you enable clustering, you'll also have to consider this in your firewall
> configuration, allowing multi-cast on the local network.
>
> I hope that gets you started.
>
>> --
>> Marcos Luís Ortíz Valmaseda
>> Software Engineer (UCI) http://marcosluis2186.posterous.com
>> http://twitter.com/marcosluis2186
> So long,
> i
>
Well, Dominick, I think that the first thing to do is to build
the .rpm package under correct packaging rules.
Init scripts under:
/usr/sbin
/etc/init.d/ (compatible with the chkconfig tool)
pids under:
/var/run
libraries under:
/usr/lib/trafficserver
docs under:
/usr/share/docs/trafficserver
log files under:
/var/log/trafficserver
and locks under:
/var/locks/trafficserver
It's this correct, Dominick?
Where I can find the spec file for TrafficServer?
Regards
--
Marcos Luís Ortíz Valmaseda
Software Engineer (UCI)
http://marcosluis2186.posterous.com
http://twitter.com/marcosluis2186
12 years, 10 months
Re: TS under SELinux policy
by Dominick Grift
On Thu, 2011-06-16 at 15:28 +0000, Igor Galić wrote:
> I don't think it'll be that straightforward to create such a policy
> for TS, because it's got quite a complex work-flow.
Best to wait for this to get packaged by and included into Fedora.
These paths you mention are not optimal.
Thanks
12 years, 10 months
Re: TS under SELinux policy
by Marcos Ortiz Valmaseda
On 06/16/2011 06:04 AM, Jan-Frode Myklebust wrote:
> On Wed, Jun 15, 2011 at 05:08:49PM -0430, Marcos Ortiz wrote:
>> Regards to all the list
>> I was wondering if any of you have deployed Traffic Server under
>> SELinux ´s policies?
>> If it´s true, Where I can find the work?
> I don't know if it's been done, but I intend to build a policy
> for it together with the fedora/EPEL package, and try to push it
> upstream to the reference policy.
>
>
> -jf
Dominick Grift (domg472(a)gmail.com) and me will want to
help to this development, precisely under Fedora. Can you
explain to us the basic workflow of TS?
Thanks a lot
--
Marcos Luís Ortíz Valmaseda
Software Engineer (UCI)
http://marcosluis2186.posterous.com
http://twitter.com/marcosluis2186
12 years, 10 months
TS under SELinux policy
by Marcos Ortiz Valmaseda
Regards to all the list
I was wondering if any of you have deployed Traffic Server under SELinux
´s policies?
If it´s true, Where I can find the work?
12 years, 10 months
Please sync with upstream of sepgsql_contexts
by KaiGai Kohei
When I try to initialize a database managed by SE-PostgreSQL, it shows
the following
error message. The origin of this misconfiguration is my typo when I
submitted a patch.
Then, it was fixed in the upstream refpolicy yet.
[kaigai@iwashi ~]$ /usr/local/pgsql/bin/postgres --single -F -O -c
exit_on_error=true postgres <
/usr/local/pgsql/share/contrib/sepgsql.sql > /dev/null
/etc/selinux/targeted/contexts/sepgsql_contexts: line 33 has invalid
object type db_blobs
Could you sync with upstream of config/appconfig-*/sepgsql_contexts ?
The 'db_blobs' should be 'db_blob'. Right now, access controls on
large obejcts are not
supported yet, so this message is harmless. But, it is not cool.
Thanks,
--
KaiGai Kohei <kaigai(a)kaigai.gr.jp>
12 years, 10 months
sandbox: Thunderbird + Enigmail/GPG
by Christoph A.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
is someone successfully running Thunderbird in a sandbox including
Enigmail Extension and GPG support?
When starting Thunderbird:
sandbox -X -t sandbox_net_t -H tb thunderbird
I get the following "OpenPGP Alert":
"Could not start the gpg-agent program which is needed for you GnuPG
version denied."
thanks,
Christoph
-----BEGIN PGP SIGNATURE-----
iEYEAREKAAYFAk3phfkACgkQrq+riTAIEg0FbACeIsgmF7GY8vJeH/qv4PXsbks8
MdYAni9XMwIiBBSEshdfHXRsa87V0OQw
=o/A8
-----END PGP SIGNATURE-----
12 years, 10 months
add textrel_shlib_t in package %post or in selinux-policy?
by Chuck Anderson
I'm the package maintainer for ocp (Open Cubic Player) in Fedora. The
32-bit i386 version of ocp has hand-written assembly code that can't
be compiled with -fPIC, and requires text relocations to run. The
x86_64 (and all other architectures) version uses C code for the same
functions, and so does not need text relocations. I'm also
investigating a way to compile the 32-bit version with the C functions
instead of the optimized non-PIC assembly. The bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=470949
I also found this bug which I was never informed of at the time it was
filed and fixed by applying textrel_shlib_t for mixclip.so in the
selinux-policy package (which incidentally won't work anymore since
mixclip.so moved in newer versions of ocp):
https://bugzilla.redhat.com/show_bug.cgi?id=550252
>sudo grep ocp /etc/selinux/targeted/contexts/files/file_contexts
/usr/lib(64)?/ocp-.*/mixclip\.so -- system_u:object_r:textrel_shlib_t:s0
(This tripped me up for a while since I couldn't figure out why
semange fcontext -d couldn't delete this--until I realized I hadn't
added this with semanage--it was in the selinux-policy package.)
Here are the current files that require text relocations if I'm
interpreting the output of eu-findtextrel correctly (again, only i386
32-bit):
>eu-findtextrel /usr/lib/ocp-*/{*,autoload/*} | & grep -v 'no text reloc' | cut -d: -f1 | sort -u
eu-findtextrel
/usr/lib/ocp-0.1.20/autoload/10-mixclip.so
/usr/lib/ocp-0.1.20/autoload/30-mcpbase.so
/usr/lib/ocp-0.1.20/devwmixf.so
/usr/lib/ocp-0.1.20/devwmix.so
My questions are:
1. Should you add these to selinux-policy (and remove the previous obsolete entry)?
/usr/lib/ocp-.*/(autoload/)?.*devwmix\.so -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/ocp-.*/(autoload/)?.*devwmixf\.so -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/ocp-.*/(autoload/)?.*mcpbase\.so -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/ocp-.*/(autoload/)?.*mixclip\.so -- system_u:object_r:textrel_shlib_t:s0
This should cover all known variations in location.
2. Or, should I add this to my package %post (and have you remove the obsolete entry):
%ifarch %{ix86}
semanage fcontext -a -t textrel_shlib_t '%{_libdir}/ocp-.*/(autoload/)?.*devmix\.so' 2>/dev/null || :
semanage fcontext -a -t textrel_shlib_t '%{_libdir}/ocp-.*/(autoload/)?.*devmixf\.so' 2>/dev/null || :
semanage fcontext -a -t textrel_shlib_t '%{_libdir}/ocp-.*/(autoload/)?.*mcpbase\.so' 2>/dev/null || :
semanage fcontext -a -t textrel_shlib_t '%{_libdir}/ocp-.*/(autoload/)?.*mixclip\.so' 2>/dev/null || :
restorecon -R %{_libdir}/ocp-.* || :
%endif
(as http://fedoraproject.org/wiki/PackagingDrafts/SELinux recommends,
but this is still a draft guideline)
3. Or, should I cover all bases for current and possible future needs
with a more permissive match (what is the security risk here?):
%ifarch %{ix86}
semanage fcontext -a -t textrel_shlib_t '%{_libdir}/ocp-.*/(autoload/)?.*\.so' 2>/dev/null || :
restorecon -R %{_libdir}/ocp-.* || :
%endif
4. Or, should I find a way to compile with -fPIC (possibly reverting
to the C versions instead of assembly) so I don't need text
relocations? How much of a security risk is giving textrel_shlib_t to
these libraries?
5. I noticed that the various allow_exec* booleans changed their
default values in successive Fedora versions:
Fedora 13 i386:
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> on
Fedora 14 i386:
allow_execheap --> off
allow_execmem --> on
allow_execmod --> on
allow_execstack --> off
Fedora 15 i386:
allow_execheap --> off
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
What's the history here? Things seem to be moving in a more
permissive direction--so I guess the convenience of allowing these was
deemed worth the security risk of having them on by default?
6. Should I do nothing and just rely on the default boolean values in
Fedora 14 and newer to allow people to run ocp on i386?
Thanks,
Chuck
12 years, 10 months
sandbox & Fonts (Cosmetic Issue)
by Jorge Fábregas
Hi,
I'm using Firefox on the sandbox but I'm wondering if there's any way to
specify a DPI for the window manager or X for that sandbox session. For
example, when Firefox loads, the fonts on its UI elements are WAY
smaller than my out-of-sandbox Firefox (and the rest of the system for
that matter).
Regards,
Jorge
12 years, 10 months
