firefox on rawhide and selinux
Antonio Olivares
olivares14031 at yahoo.com
Mon Jun 8 21:21:28 UTC 2009
--- On Mon, 6/8/09, Daniel J Walsh <dwalsh at redhat.com> wrote:
> From: Daniel J Walsh <dwalsh at redhat.com>
> Subject: Re: firefox on rawhide and selinux
> To: "Antonio Olivares" <olivares14031 at yahoo.com>
> Cc: fedora-selinux-list at redhat.com
> Date: Monday, June 8, 2009, 2:17 PM
> On 06/08/2009 04:21 PM, Antonio
> Olivares wrote:
> >
> >
> > Summary:
> >
> > SELinux is preventing firefox from changing a writable
> memory segment
> > executable.
> >
> > Detailed Description:
> >
> > The firefox application attempted to change the access
> protection of memory
> > (e.g., allocated using malloc). This is a potential
> security problem.
> > Applications should not be doing this. Applications
> are sometimes coded
> > incorrectly and request this permission. The SELinux
> Memory Protection Tests
> > (http://people.redhat.com/drepper/selinux-mem.html) web
> page explains how to
> > remove this requirement. If firefox does not work and
> you need it to work, you
> > can configure SELinux temporarily to allow this access
> until the application is
> > fixed. Please file a bug report
> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> >
> > Allowing Access:
> >
> > If you trust firefox to run correctly, you can change
> the context of the
> > executable to unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> > '/usr/lib/firefox-3.5b4/firefox'". You must also
> change the default file context
> > files on the system in order to preserve them even on
> a full relabel. "semanage
> > fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.5b4/firefox'"
> >
> > Fix Command:
> >
> > chcon -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.5b4/firefox'
> >
> > Additional Information:
> >
> > Source Context
>
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >
>
> SystemHigh
> > Target Context
>
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >
>
> SystemHigh
> > Target Objects
> None [ process ]
> > Source
> firefox
> > Source Path
>
> /usr/lib/firefox-3.5b4/firefox
> > Port<Unknown>
> > Host
>
> localhost.localdomain
> > Source RPM Packages
> firefox-3.5-0.21.beta4.fc12
> > Target RPM Packages
> > Policy RPM
> selinux-policy-3.6.13-2.fc12
> > Selinux Enabled
> True
> > Policy Type
> targeted
> > MLS Enabled
> True
> > Enforcing Mode
> Enforcing
> > Plugin Name
> allow_execmem
> > Host Name
>
> localhost.localdomain
> > Platform
> Linux
> localhost.localdomain
> >
>
> 2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3
> >
>
> 09:55:34 EDT 2009 i686 i686
> > Alert Count
> 8
> > First Seen
> Mon 08 Jun 2009 12:27:54 PM CDT
> > Last Seen
> Mon 08 Jun 2009
> 12:28:08 PM CDT
> > Local ID
>
> 0e0d62f4-09db-4ddf-987c-8210c45b9e70
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=localhost.localdomain type=AVC
> msg=audit(1244482088.874:27316): avc: denied {
> execmem } for pid=2566 comm="firefox"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> >
> > node=localhost.localdomain type=SYSCALL
> msg=audit(1244482088.874:27316): arch=40000003 syscall=192
> success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0
> ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> >
> >
> >
> >
> > Thanks,
> >
> > Antonio
> >
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Are you using flashplugin? Not sure which app is
> causing the execmem.
> Do you have nspluginwrapper installed?
>
both flashplugin and nspluginwrapper are installed :(
updated rawhide as of yesterdays 20080607's report, I can't get todays updates, will apply them tomorrow when more mirrors are updated.
Thanks,
Antonio
More information about the selinux
mailing list