From: Daniel J Walsh <dwalsh(a)redhat.com>
Subject: Re: firefox on rawhide and selinux
To: "Antonio Olivares" <olivares14031(a)yahoo.com>
Cc: fedora-selinux-list(a)redhat.com
Date: Monday, June 8, 2009, 2:17 PM
On 06/08/2009 04:21 PM, Antonio
Olivares wrote:
>
>
> Summary:
>
> SELinux is preventing firefox from changing a writable
memory segment
> executable.
>
> Detailed Description:
>
> The firefox application attempted to change the access
protection of memory
> (e.g., allocated using malloc). This is a potential
security problem.
> Applications should not be doing this. Applications
are sometimes coded
> incorrectly and request this permission. The SELinux
Memory Protection Tests
> (
http://people.redhat.com/drepper/selinux-mem.html) web
page explains how to
> remove this requirement. If firefox does not work and
you need it to work, you
> can configure SELinux temporarily to allow this access
until the application is
> fixed. Please file a bug report
> (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
>
> Allowing Access:
>
> If you trust firefox to run correctly, you can change
the context of the
> executable to unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
> '/usr/lib/firefox-3.5b4/firefox'". You must also
change the default file context
> files on the system in order to preserve them even on
a full relabel. "semanage
> fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.5b4/firefox'"
>
> Fix Command:
>
> chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.5b4/firefox'
>
> Additional Information:
>
> Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
>
SystemHigh
> Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
>
SystemHigh
> Target Objects
None [ process ]
> Source
firefox
> Source Path
/usr/lib/firefox-3.5b4/firefox
> Port<Unknown>
> Host
localhost.localdomain
> Source RPM Packages
firefox-3.5-0.21.beta4.fc12
> Target RPM Packages
> Policy RPM
selinux-policy-3.6.13-2.fc12
> Selinux Enabled
True
> Policy Type
targeted
> MLS Enabled
True
> Enforcing Mode
Enforcing
> Plugin Name
allow_execmem
> Host Name
localhost.localdomain
> Platform
Linux
localhost.localdomain
>
2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3
>
09:55:34 EDT 2009 i686 i686
> Alert Count
8
> First Seen
Mon 08 Jun 2009 12:27:54 PM CDT
> Last Seen
Mon 08 Jun 2009
12:28:08 PM CDT
> Local ID
0e0d62f4-09db-4ddf-987c-8210c45b9e70
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC
msg=audit(1244482088.874:27316): avc: denied {
execmem } for pid=2566 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
>
> node=localhost.localdomain type=SYSCALL
msg=audit(1244482088.874:27316): arch=40000003 syscall=192
success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0
ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
>
>
>
>
> Thanks,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Are you using flashplugin? Not sure which app is
causing the execmem.
Do you have nspluginwrapper installed?
both flashplugin and nspluginwrapper are installed :(
updated rawhide as of yesterdays 20080607's report, I can't get todays updates,
will apply them tomorrow when more mirrors are updated.
Thanks,
Antonio