Bug 201648
Summary: | Seamonkey does not start with selinux set to enforced | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gérard Milmeister <gemi> | ||||
Component: | seamonkey | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5 | CC: | caillon, extras-qa, jim.cornette | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-08-15 17:05:57 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Gérard Milmeister
2006-08-07 22:09:50 UTC
I am seeing the exact same thing and strace confirms. Forgot to add: seamonkey-1.0.4-0.5.1.fc5 Adding myself to the list. I am having to set SELinux to permissive in order for seamonkey to load. Created attachment 134170 [details]
contains errors related to seamonkey failure
This problem has been noted by several users and other users have been
installing the installer version instead of using the rpm version since it does
not start. Other people just see it not starting. A lot of users are impacted
by this problem.
So after some research, I am able to explain what is going on. In the first place I had suspected a change in the application code, because Seamonkey 1.0.2 starts fine in enforcing mode - the 1.0.4 rpm code does not. But why does Firefox work? I suspected a difference at the source level. But comparing the source we compile for Firefox 1.5.0.6 and Seamonkey 1.0.4 shows, there are only minimal unrelated differences. Researching more, I learned that shared libraries in both packages have the same behaviour with regards to selinux. But only the Seamonkey libraries trigger the exception. This confused me. Finally I learned that Firefox (and Thunderbird) work, because the selinux-policy does explicitly allow the libraries in those applications to do "execmod". I was not aware of that exception! Obviously somebody has already made the decision that fixing the Mozilla code is too difficult and opted for the exception in the policy. Therefore I propose to file a bug about the selinux policy in order to add the same exception for the Seamonkey application, as it is in place for Firefox and Thunderbird. I will file such a bug next. I'm closing this as NOTABUG, because there is no bug in Seamonkey. I am left with the question, why the .so files in our Seamonkey 1.0.2 package do not have that execmod requirement. And it seems, binaries produced by mozilla.org do not either. I guess the cause is the use of a different compilation environment. I have mozilla-1.7.13-1.1.fc5 installed also. Mozilla seems to work with SELinux in enforcing. Why seamonkey-1.0.4-0.5.1.fc5 does not work is beyond what I could thing of. ls -lZ shows that the below files have particular content. I know how to disable SELinux or put it into permissive mode. I do not know how to make the content match for the desired rules. I notice that mozilla does not have a version of this .so file. The errors in my audit log flag this .so file more than any other message in the log. Thanks for your investigation. locate libxpcom_core.so /usr/lib/firefox-1.5.0.6/libxpcom_core.so /usr/lib/seamonkey-1.0.4/libxpcom_core.so /usr/lib/thunderbird-1.5.0.5/libxpcom_core.so [root@dell-cornette ~]# ls -lZ /usr/lib/firefox-1.5.0.6/libxpcom_core.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/lib/firefox-1.5.0.6/libxpcom_core.so [root@dell-cornette ~]# ls -lZ /usr/lib/seamonkey-1.0.4/libxpcom_core.so -rwxr-xr-x root root system_u:object_r:lib_t /usr/lib/seamonkey-1.0.4/libxpcom_core.so [root@dell-cornette ~]# ls -lZ /usr/lib/thunderbird-1.5.0.5/libxpcom_core.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/lib/thunderbird-1.5.0.5/libxpcom_core.so > Therefore I propose to file a bug about the selinux policy in order to add the > same exception for the Seamonkey application, as it is in place for Firefox and > Thunderbird. > > I will file such a bug next. Bug 202642 Jim, until bug 202642 gets fixed, a workaround is to explicitly allow textrel for seamonkey .so files: (use at your own risk) root> find /usr/lib/seamonkey-1.0.4/ -name \*.so | xargs chcon -t texrel_shlib_t Thanks for the use at my own risk information posted in comment #8. It may be risky, but it does allow seamonkey to function and selinux protection for the other system factors. I'll track bug 202642 for progress. There was discussion on the fedora-list regarding this effect on seamonkey rpms. A link to the start of the thread is listed below. https://www.redhat.com/archives/fedora-list/2006-August/msg01448.html |