Bug 432198
| Summary: | firefox and selinux exec stack | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Antonio A. Olivares <olivares14031> |
| Component: | firefox | Assignee: | Gecko Maintainer <gecko-bugs-nobody> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | dwalsh, lordmorgul, mcepl |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-12-24 11:23:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Antonio A. Olivares
2008-02-09 18:44:20 UTC
Need to look at your plugins and make sure you're loading the correct versions you expect to be (for instance an old flash lib .so in your ~/.mozilla somewhere could be getting loaded... one that needs executable stack. I do not see this happening with those versions and I do not have it permitted. Firefox should not be allowed to do that. OK, I am not sure that firefox is that blameless, but certainly we would need you to move your ~/.mozilla folder somewhere else or rename it and then start firefox again -- does the problem appears again? Also, if it is possible for you -- could you download firefox 3 beta 2 from the upstream (http://www.mozilla.com/en-US/firefox/all-beta.html) and then tell us whether you are able to reproduce it with that as well? Yes, I have done as you suggested, still selinux still does the same thing :(
I tried 2-3 hours ago to post my findings, but CPU ran wild up to 99% and I had
to close it :(
Here's what happened
Script started on Mon 11 Feb 2008 04:06:08 PM CST
]0;olivares@localhost:~[?1034h[olivares@localhost ~]$ rm -r[K[K[K[K[Kcp
!~[K[K~/.mozilla//[K* ~/.mozilla/[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[Kmkdir
.mozilla/[K2
]0;olivares@localhost:~[olivares@localhost ~]$ cp
!~[K[K~[K~/.mozilla//[K* ~![K[K~/.mozilla2/
cp: omitting directory `/home/olivares/.mozilla/default'
cp: omitting directory `/home/olivares/.mozilla/extensions'
cp: omitting directory `/home/olivares/.mozilla/firefox'
cp: omitting directory `/home/olivares/.mozilla/plugins'
]0;olivares@localhost:~[olivares@localhost ~]$ cp ~/.mozilla/* ~/.mozilla2/[C[C[1@-[1@r[1@a[1@
[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C
]0;olivares@localhost:~[olivares@localhost ~]$ cd .mozilla2/
]0;olivares@localhost:~/.mozilla2[olivares@localhost .mozilla2]$ ls
[00m[00mappreg[00m [00;34mextensions[00m [00mmozver.dat[00m
[00mmplayerplug-in.types[00m [00;34mplugins[00m
[00;34mdefault[00m [00;34mfirefox[00m [00mmplayerplug-in.conf[00m
[00mpluginreg.dat[00m
[m]0;olivares@localhost:~/.mozilla2[olivares@localhost .mozilla2]$ cd ..
]0;olivares@localhost:~[olivares@localhost ~]$ ls
[00m[00;32malarm[00m [00mgdmversion.txt[00m
[00;34mPictures[00m
[00malarm~[00m [00mgnome-mount-bugreport2.txt[00m
[00;34mPublic[00m
[00;32malarm2[00m [00mgnome-mount-bugreport.txt[00m
[00mselinux_alert-20071111-1.txt[00m
[00maltahif[00m [00;34mlib[00m
[00mselinux_alert-20071111-2.txt[00m
[00;34mbin[00m [00mlivecd-fedora.pdf[00m
[00mselinux_alert-20071111-3.txt[00m
[00mbugbuddy1.txt[00m [00mmaxout.gnuplot[00m [00;34mshare[00m
[00mbugbuddy1.txt~[00m [00mmaxout.gnuplot_pipes[00m
[00;34mSoccer[00m
[00mcannotstartx.txt[00m [00mmbox[00m
[00;34mTemplates[00m
[00;34mDesktop[00m [00;34mMusic[00m
[00mtestgdm1.txt[00m
[00;34mDocuments[00m [00mnautilus-debug-log.txt[00m
[00;34mtmp[00m
[00;34mDownloads[00m [00mnokde-1.txt[00m
[00;34mVideos[00m
[m]0;olivares@localhost:~[olivares@localhost ~]$ exit
exit
Script done on Mon 11 Feb 2008 04:07:49 PM CST
top - 16:13:25 up 1:39, 2 users, load average: 1.07, 0.71, 0.37
Tasks: 126 total, 2 running, 124 sleeping, 0 stopped, 0 zombie
Cpu(s): 93.1%us, 6.2%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
Mem: 767516k total, 690100k used, 77416k free, 20912k buffers
Swap: 3114416k total, 0k used, 3114416k free, 348420k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3167 olivares 20 0 184m 68m 25m R 85.0 9.1 1:03.99 firefox
2368 root 20 0 188m 25m 9408 S 6.3 3.4 3:28.46 Xorg
3199 olivares 20 0 46452 16m 10m S 2.6 2.2 0:00.37 gnome-terminal
2703 olivares 20 0 19372 2780 1940 S 1.3 0.4 0:04.48 gnome-screensav
2684 olivares 20 0 14840 4560 3756 S 1.0 0.6 0:22.47 at-spi-registry
2724 olivares 20 0 25228 12m 8608 S 1.0 1.6 0:58.77 gkrellm
3238 olivares 20 0 2384 1044 820 R 0.7 0.1 0:00.13 top
488 root 15 -5 0 0 0 S 0.3 0.0 0:01.22 scsi_eh_1
2719 olivares 20 0 25416 13m 9160 S 0.3 1.8 0:04.07 metacity
2770 olivares 20 0 68668 30m 16m S 0.3 4.0 0:03.10 /usr/bin/sealer
3192 olivares 20 0 55908 20m 13m S 0.3 2.7 0:04.47 gedit
1 root 20 0 2224 664 576 S 0.0 0.1 0:02.34 init
2 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root RT -5 0 0 0 S 0.0 0.0 0:00.00 migration/0
4 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
5 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/0
6 root 15 -5 0 0 0 S 0.0 0.0 0:00.06 events/0
top - 16:13:25 up 1:39, 2 users, load average: 1.07, 0.71, 0.37
Tasks: 126 total, 2 running, 124 sleeping, 0 stopped, 0 zombie
Cpu(s): 93.1%us, 6.2%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
Mem: 767516k total, 690100k used, 77416k free, 20912k buffers
Swap: 3114416k total, 0k used, 3114416k free, 348420k cached
Summary:
SELinux is preventing firefox from making the program stack executable.
Detailed Description:
The firefox application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If firefox does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b4pre/firefox'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b4pre/firefox'"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path /usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages firefox-3.0-0.beta2.18.nightly20080210.fc9
Target RPM Packages
Policy RPM selinux-policy-3.2.7-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost 2.6.24.1-28.fc9 #1 SMP Sun Feb 10
17:27:37 EST 2008 i686 athlon
Alert Count 29
First Seen Fri 01 Feb 2008 05:08:54 PM CST
Last Seen Mon 11 Feb 2008 04:10:35 PM CST
Local ID c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1202767835.617:27): avc: denied { execstack
} for pid=3167 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=localhost type=SYSCALL msg=audit(1202767835.617:27): arch=40000003
syscall=125 success=no exit=-13 a0=bf828000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=3153 pid=3167 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
exe="/usr/lib/firefox-3.0b4pre/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
BTW,
this selinux stack exec in firefox, is joined now by the one in seamonkey :(
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Reporter, are you able to reproduce this issue with the latest package from your distribution? Well apparently the package of firefox has been replaced by minefield again, with firefox 3.1 or 3.2b1 or something like that. I have not seen this problem for a while now, so I can't complain. |