Bug 304421

Summary: SE Linux warning
Product: [Fedora] Fedora Reporter: Austin <aa_sb_0>
Component: firefoxAssignee: Christopher Aillon <caillon>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: gecko-bugs-nobody, mcepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: pleaForReproductionFF3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-28 15:02:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Additional information from the SE Troubleshooter browser
none
selinux description of requested bug report on firefox none

Description Austin 2007-09-25 03:34:57 UTC 
Description of problem:
SELinux is preventing /usr/local/firefox/firefox-bin from loading
/usr/local/firefox/extensions/talkback/components/libqfaservices.so
which requires text relocation.

Version-Release number of selected component (if applicable):
2.0.0.6

How reproducible:
Everytime I start firefox.

Steps to Reproduce:
1. Load firefox (either from CLI, or the "Web Browser" button on the "task bar"
2. Wait for it to load, and observe the yellow Star show up in the status bar
(clock, updates available, etc)
3. Open SE Trouble shoot browser and read the warning.
  
Actual results:
The above

Expected results:
For this warning not to happen.

Additional info:
The /usr/local/firefox/firefox-bin application attempted to load
/usr/local/firefox/extensions/talkback/components/libqfaservices.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests web page
explains how to remove this requirement. You can configure SELinux temporarily
to allow
/usr/local/firefox/extensions/talkback/components/libqfaservices.so
to use relocation as a workaround, until the library is fixed. Please file a bug
report against this package.

Allowing Access
===============
If you trust
/usr/local/firefox/extensions/talkback/components/libqfaservices.so
to run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
/usr/local/firefox/extensions/talkback/components/libqfaservices.so"The
following command will allow this access:chcon -t textrel_shlib_t
/usr/local/firefox/extensions/talkback/components/libqfaservices.so
Comment 1 Austin 2007-09-25 03:34:57 UTC 
Created attachment 204791 [details]
Additional information from the SE Troubleshooter browser
Comment 2 jerry stutte 2007-09-26 22:03:21 UTC 
Created attachment 207691 [details]
selinux description of requested bug report on firefox

First occurence was noticed post install of fc7, install was followed by 
firefox install and kernel update.

SELinux reported the incident while installing google earth


Similiar problem,

SELinux is preventing /usr/lib/firefox-2.0.0.5/firefox-bin from loading
/usr/lib/firefox-2.0.0.5/plugins/nppdf.so which requires text relocation.

Detailed DescriptionThe /usr/lib/firefox-2.0.0.5/firefox-bin application
attempted to load /usr/lib/firefox-2.0.0.5/plugins/nppdf.so which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. 

This SELinux trouble shooter report is very similiar to Bug 304421

Q applying the temporary fix/work around suggested by SELinux trouble shooter,
what is the probability of a security breach, until the lib's text relocation 
code is addressed.

Please file a bug report against this package.	Allowing Access If you trust
/usr/lib/firefox-2.0.0.5/plugins/nppdf.so to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
/usr/lib/firefox-2.0.0.5/plugins/nppdf.so"The following command will allow this
access:chcon -t textrel_shlib_t /usr/lib/firefox-2.0.0.5/plugins/nppdf.so
Comment 3 Matěj Cepl 2008-02-21 22:35:12 UTC 
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 4 Matěj Cepl 2008-02-21 22:36:34 UTC 
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 5 Austin 2008-02-28 04:02:04 UTC 
I've tried out Firefox 3 beta 3 and it does not appear to generate any SE Linux
alerts. At least none appeared to be logged in var log messages.
Comment 6 Matěj Cepl 2008-02-28 15:02:36 UTC 
Thanks for letting us know.