Bug 524173

Summary: setroubleshoot: SELinux is preventing /usr/lib/firefox-3.5.3/firefox from changing a writable memory segment executable.
Product: [Fedora] Fedora Reporter: Hongwen Qiu <tsukinokage>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: axet, david.dubrovic, dwalsh, jkubin, loadgold, mgrepl, ogre, placeholder, spowd
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:899ae2289c1d6b4a202e8033c62f68df9f285d1a9ff10dcc5fd5f4c5d9859350
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-18 12:02:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hongwen Qiu 2009-09-18 08:16:06 UTC 
The following was filed automatically by setroubleshoot:

概述:

SELinux is preventing /usr/lib/firefox-3.5.3/firefox from changing a writable
memory segment executable.

详细描述:

[SELinux is in permissive mode. This access was not denied.]

The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

允许访问:

If you trust firefox to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t
'/usr/lib/firefox-3.5.3/firefox'". You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t execmem_exec_t '/usr/lib/firefox-3.5.3/firefox'"

Fix 命令:

chcon -t execmem_exec_t '/usr/lib/firefox-3.5.3/firefox'

附加信息:

源上下文                  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
目标上下文               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
目标对象                  None [ process ]
源                           mutter
源路径                     /usr/bin/mutter
端口                        <未知>
主机                        (removed)
源 RPM 软件包             firefox-3.5.3-1.fc12
目标 RPM 软件包          
策略 RPM                    selinux-policy-3.6.32-1.fc12
启用 Selinux                True
策略类型                  targeted
启用 MLS                    True
Enforcing 模式              Permissive
插件名称                  allow_execmem
主机名                     (removed)
平台                        Linux (removed) 2.6.31-23.fc12.i686.PAE #1 SMP
                              Wed Sep 16 15:53:47 EDT 2009 i686 i686
警报计数                  4
第一个                     2009年09月18日 星期五 13时55分23秒
最后一个                  2009年09月18日 星期五 16时09分45秒
本地 ID                     5a8b2da7-8bea-482e-82d0-782fe1f299c5
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1253261385.990:32): avc:  denied  { execmem } for  pid=2027 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1253261385.990:32): arch=40000003 syscall=125 success=yes exit=0 a0=4fbd000 a1=1000 a2=7 a3=b60e5000 items=0 ppid=2012 pid=2027 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.3/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;
Comment 1 Daniel Walsh 2009-09-18 12:02:51 UTC 
Either install nspluginwrapper 

yum install nspluginwrapper

or set the boolean

allow_unconfined_nsplugin_transition off

setsebool -P allow_unconfined_nsplugin_transition 0

Do you have any plugins installed (flashplugin?)
Comment 2 Hongwen Qiu 2009-09-18 13:20:06 UTC 
(In reply to comment #1)
> Either install nspluginwrapper 
> 
> yum install nspluginwrapper
> 
> or set the boolean
> 
> allow_unconfined_nsplugin_transition off
> 
> setsebool -P allow_unconfined_nsplugin_transition 0
> 
> Do you have any plugins installed (flashplugin?)  

Yes, I have installed flashplugin. When I tried to install nspluginwrapper, it seemed to have already been installed. And the selinux still reports the same problem even after I ran the command "setsebool -P allow_unconfined_nsplugin_transition 0".
Comment 3 Daniel Walsh 2009-09-18 13:32:02 UTC 
Restart firefox.

It is currently running in unconfined_t, when you restart it, it should be running as unconfined_execmem_t
Comment 4 Hongwen Qiu 2009-09-18 13:45:38 UTC 
(In reply to comment #3)
> Restart firefox.
> 
> It is currently running in unconfined_t, when you restart it, it should be
> running as unconfined_execmem_t  

Thanks, maybe that works.