Bug 525673

Summary: setroubleshoot: SELinux is preventing firefox from making its memory writable and executable.
Product: [Fedora] Fedora Reporter: Alexey Kuznetsov <axet>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: ahecox, axet, dwalsh, mgrepl, pavel.ondracka
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:782a9b57b68c5abe00c80ab2d8252096c0b57e9b2e9ed71f3559f1187c314dcf
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-20 21:23:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Kuznetsov 2009-09-25 09:03:04 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing firefox from making its memory writable and executable.

Detailed Description:

The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem. Firefox is
probably not the problem here ,but one of its plugins. You could remove the
plugin and the app would no longer require the access. If you figure out which
plugin is causing the access request, please open a bug report on the plugin.

Allowing Access:

There are two ways to fix this problem, you can install the nsspluginwrapper
package, which will cause firefox to run its plugins under a separate process.
This process will allow the execmem access. This is the safest choice. You could
also turn off the allow_unconfined_nsplugin_transition boolean.
setsebool -P allow_unconfined_nsplugin_transition=0

Fix Command:

yum install nspluginwrapper

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.5.3/firefox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           firefox-3.5.3-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   firefox
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-40.fc12.i686 #1
                              SMP Wed Sep 23 18:05:20 EDT 2009 i686 i686
Alert Count                   20
First Seen                    Fri 25 Sep 2009 12:46:00 PM MSD
Last Seen                     Fri 25 Sep 2009 12:59:58 PM MSD
Local ID                      e14b46a2-0f14-49bd-bb2e-d8d1520fa451
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1253869198.208:20): avc:  denied  { execmem } for  pid=2011 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1253869198.208:20): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 ppid=1996 pid=2011 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.3/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

Comment 1 Daniel Walsh 2009-10-20 21:23:24 UTC
Fixed in selinux-policy-3.6.32-29.fc12.noarch