Bug 157133

Summary: I'm not able to run Mozilla after selinux-policy-targeted update
Product: [Fedora] Fedora Reporter: Dawid Gajownik <gajownik>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: djuran, fountainspirit
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-13 16:55:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dawid Gajownik 2005-05-07 10:46:32 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050217

Description of problem:
I've installed selinux-policy-targeted-1.17.30-3.2 from updates-testing and now I'm not able to run Mozilla from mozilla.org (I like testing new software, so that's why I use that version). Here are messages:

[y4kk0@X unb-pl]$ /usr/local/mozilla/mozilla
/usr/local/mozilla/mozilla-bin: error while loading shared libraries: /usr/local/mozilla/libxpcom_core.so: cannot restore segment prot after reloc: Permission denied
[y4kk0@X unb-pl]$

dmesg:
[snip]
lp0: using parport0 (interrupt-driven).
lp0: console ready
audit(1115462123.958:0): avc:  granted  { load_policy } for  pid=5478 exe=/usr/sbin/load_policy scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
security:  3 users, 4 roles, 344 types, 29 bools
security:  55 classes, 14844 rules
audit(1115462149.271:0): avc:  denied  { execmod } for  pid=5533 comm=mozilla-bin path=/usr/local/mozilla/libxpcom_core.so dev=hda5 ino=422994 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file
[y4kk0@X ~]$

This should be fixed in Mozilla or in selinux-policy-targeted package?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.2

How reproducible:
Always

Steps to Reproduce:
1. install new selinux-policy-targeted package
2. run Mozilla from mozilla.org
  

Additional info:

Everything works fine with selinux-policy-targeted-1.17.30-2.96 RPM.
Comment 1 Daniel Walsh 2005-05-07 11:57:29 UTC 
chcon -t texrel_shlib_t /usr/local/mozilla/libxpcom_core.so
setsebool -P allow_execmod=1
Comment 2 Dawid Gajownik 2005-05-07 12:19:26 UTC 
Thanks for the quick response. Your advice was really helpful -- now I can run
Mozilla with 'setenforce 1' :)

After entering those commands and launching mozilla, new avc message appeared:

audit(1115467542.721:0): avc:  denied  { execmod } for  pid=7056
comm=mozilla-bin path=/usr/local/mozilla/components/libqfaservices.so dev=hda5
ino=457824 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file

I run:

chcon -t texrel_shlib_t /usr/local/mozilla/components/libqfaservices.so

and everything works fine B)
Comment 3 Dawid Gajownik 2005-05-07 15:46:58 UTC 
Just FYI (I know that proprietary programs are not supported):

audit(1115473906.013:0): avc:  denied  { execmod } for  pid=8270
comm=mozilla-bin path=/usr/local/mozilla/plugins/libflashplayer.so dev=hda5
ino=457814 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
Comment 4 Dawid Gajownik 2005-05-07 16:21:41 UTC 
Another one:

audit(1115482727.732:0): avc:  denied  { execmod } for  pid=28821
comm=soffice.bin path=/opt/openoffice.org1.9.100/program/libicudata.so.26.0.1
dev=hda5 ino=3543 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file

(sorry for bothering you)
Comment 5 Dawid Gajownik 2005-05-08 10:49:07 UTC 
I also noticed, that my test forum stoped working (everything was fine with the
selinux-policy-targeted-1.17.30-2.96):

audit(1115548693.535:0): avc:  denied  { write } for  pid=4431
exe=/usr/sbin/httpd name=ip.log dev=hda6 ino=237641
scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t
tclass=file
audit(1115548693.736:0): avc:  denied  { append } for  pid=4431
exe=/usr/sbin/httpd name=board-2005-05-08.logdev=hda6 ino=237745
scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t
tclass=file

[y4kk0@X unb_log]$ ls -Z
-rw-r--r--  apache   apache   root:object_r:httpd_sys_content_t board-2005-05-04.log
-rw-r--r--  apache   apache   root:object_r:httpd_sys_content_t board-2005-05-05.log
-rw-r--r--  apache   apache   root:object_r:httpd_sys_content_t board-2005-05-06.log
-rw-r--r--  apache   apache   root:object_r:httpd_sys_content_t board-2005-05-07.log
-rw-r--r--  apache   apache   root:object_r:httpd_sys_content_t board-2005-05-08.log
-rw-r--r--  apache   apache   root:object_r:httpd_sys_content_t error-2005-05.log
-rw-r--r--  apache   apache   system_u:object_r:httpd_user_content_t ip.log
[y4kk0@X unb_log]$

Maybe it should be documented that there can be such a problems (and of course
how to fix them) if you want to make such a big changes in the
selinux-policy-targeted package.
Comment 6 Daniel Walsh 2005-05-09 14:32:20 UTC 
This is probably a boolean problem.  Can you show me your 
getsebool -a | grep http

These are test releases which I am looking for problems with.  I am trying to
see if we can update FC3/RHEL4 targets to match Rawhide.

Dan
Comment 7 Dawid Gajownik 2005-05-09 14:47:46 UTC 
Of course I can :]

[root@X ~]# getsebool -a | grep http
httpd_builtin_scripting --> inactive
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_tty_comm --> inactive
httpd_unified --> active
[root@X ~]#
Comment 8 Daniel Walsh 2005-05-09 15:05:55 UTC 
Try
setsebool -P httpd_builtin_scripting=1

And see if this solves your problem.  I think I need to default this to on, so I
don't break anything.

Dan
Comment 9 Dawid Gajownik 2005-05-09 15:50:55 UTC 
Changing this boolean to true resolves the problem. Thanks!

BTW how can I revert all the changes to the default values after updating
selinux-policy-targeted package, so that I could be able to test this package
properly?
Comment 10 Daniel Walsh 2005-05-09 15:56:03 UTC 
In Rawhide (FC4) we added the concept of booleans.local to allow users to
customize the policy on the fly and still allow us to update the booleans file.
 So you could remove booleans.local and you would get the default configuration.
 In order to get the same behaviour in FC3/RHEL4 currently you gould remove the
booleans file before updating policy and then you would get the default booleans
file in the policy file.

I hope to update RHEL4 with the booleans.local changes in U2.

Dan
Comment 11 Dawid Gajownik 2005-06-13 16:55:29 UTC 
Well, I have removed /etc/selinux/targeted/booleans and downgraded
selinux-policy-targeted to 1.17.30-2.96. My next step was "touch /.autorelabel
&& reboot". After all I upgraded selinux-policy-targeted to 1.17.30-3.2.

Mozilla+Flash and my forum work OK. Only OOo 1.9.104 from openoffice.org still
crashes:

[y4kk0@X ~]$ soffice
/etc/openoffice.org-1.9/program/soffice.bin: error while loading shared
libraries: /opt/openoffice.org1.9.104/program/libicudata.so.26: cannot restore
segment prot after reloc: Permission denied
[y4kk0@X ~]$

I'm closing this bug, because I'm switching to FC4 and I won't be able to test
next packages. Feel free to open it if you like :)

Thanks for fixing the problem with Mozilla!
Comment 12 Henry Shu 2005-06-14 19:16:28 UTC 
(In reply to comment #11)
> Well, I have removed /etc/selinux/targeted/booleans and downgraded
> selinux-policy-targeted to 1.17.30-2.96. My next step was "touch /.autorelabel
> && reboot". After all I upgraded selinux-policy-targeted to 1.17.30-3.2.

How do you downgrade selinux-policy-targeted?  I just updated selinux yesterday,
and then suddenly Matlab couldn't launch.  Originally, I thought the problem was
with Matlab, so I uninstalled Matlab and tried to (re)install it.  However, I
can't install it anymore.  when I try to install, it gives me the following
errors, which I now believe is due to the selinux update.

================================================================================
[root@localhost matlab704]#
/root/Desktop/HenryStuff/Downloads/Matlab701SP2/Matlab_R14_SP2/cd1/CD1/install
-------------------------------------------------------------------

    An error status was returned by the program 'xsetup',
    the X Window System version of 'install'. The following
    messages were written to standard error:

        /tmp/6261tmwinstall/update/bin/glnx86/xsetup: error while loading shared
libraries: /tmp/6261tmwinstall/update/bin/glnx86/libmwins.so: cannot restore
segment prot after reloc: Permission denied

    Attempt to fix the problem and try again. If X is not available
    or 'xsetup' cannot be made to work then try the terminal
    version of 'install' using the command:

            install* -t    or    INSTALL* -t

-------------------------------------------------------------------
/tmp/6261tmwinstall/update/install/abort.sh: line 15:
/tmp/6261tmwinstall/update/install/cleanup.sh: No such file or directory
[root@localhost matlab704]#

Thank you for your feedback!
Henry
================================================================================
Comment 13 Dawid Gajownik 2005-06-14 20:34:44 UTC 
rpm -Uvh selinux-policy-targeted-some_numbers.rpm --oldpackage

If you have problems with installing Matlab, you can always switch SELinux to
permissive mode just for installation time:

setenforce 0

After all, switch it to enforcing mode:

setenforce 1

BTW there is a new package in updates-testing รข
http://www.redhat.com/archives/fedora-test-list/2005-June/msg00555.html Maybe
this one will resolve your problem:

yum --enablerepo=updates-testing update selinux-policy-targeted

Hope that helps.