Bug 597617
Summary: | SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program stack executable. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gene Snider <genes1122> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 14 | CC: | aaron.lippold, abate.alessandro, admin, adrigiga, alexander.hunt2005, alexsandro.aquino, andreabravetti, antonio.montagnani, artemio.silva, asornat, brinkj, bugsrep, bugzilla.redhat.com, bugzilla, bugzilla, chrys87, ciberpiano, ckirkpatrick79, curoli, david.cussans, drepper, dwalsh, eblix08, garfield.fatcat1990, garrett.ostromecki, genes1122, geslinux, gherson, gio_filth, greenrd, halfersltd, jaguar07, james.brown, jarin.franek, jecko617, jediah, jeremy_dipietro, jesse.brandeburg, jhonny.oliveira, jmj.buckley, joshuajrbennett, jtsigkos, ke4tzn, kmaraas, kryukov, kvinayaks, laszlo.kulcsar.ca, leigh123linux, leon.kacowicz, linux, luca.botti, marivaldosenalimajunior, maskimko, maxime.tierre, maxlabel, mgrepl, misc, mq_han, mz1550, nicolas.delley, nicolas.karmazyn, n.underwood78, ola.polak, ousia, palango, pbravo, pcsnow, piemmea, pjw955, poelstra, rafpolak, renyeris, Robert-Martin, ronaldcanete, ryans, sandblasted, santiago.lunar.m, stevlowe9, supergiantpotato, thomas.mey, todhunter, tombill60, tore, uguronganlar, vikigoyal, wijngaarde, willdeed, wl.edwards, xanexp, Zscoundrel |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:a95ca13042aee39bf6f3dcd21cfe77169c8e25cef726901b90f19ae3f629b54a | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-09 13:26:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gene Snider
2010-05-29 19:58:00 UTC
You can turn on the allow_execstack boolean to get rid of the avc. Do you have any plugins installed that could be causing this? Not that I'm aware of. I used to get this when I used the 32 bit flash plugin and nspluginwrapper. I switched to Leigh's 64 bit flash plugin and removed nspluginwrapper months ago. This denial disappeared after that in F12, F13, and F14 until this bug report was filed. I'll try FF in another user with no plugins to see if that makes a difference. Gene I did some research, and this error and another one from Firefox both started immediately after the following update: May 29 11:25:40 Updated: openldap-2.4.22-2.fc14.x86_64 May 29 11:25:41 Updated: ibus-libs-1.3.4-2.fc14.x86_64 May 29 11:26:01 Updated: ibus-1.3.4-2.fc14.x86_64 May 29 11:26:01 Updated: ibus-gtk-1.3.4-2.fc14.x86_64 May 29 11:26:18 Updated: 2:vim-common-7.2.440-1.fc14.x86_64 May 29 11:26:21 Installed: 12:aspell-0.60.6-12.fc14.x86_64 May 29 11:26:22 Updated: gjs-0.7-1.fc14.x86_64 May 29 11:26:31 Updated: mutter-2.31.2-2.fc14.x86_64 May 29 11:26:31 Updated: 1:pkgconfig-0.25-1.fc14.x86_64 May 29 11:26:32 Updated: libdrm-2.4.21-0.1.fc14.x86_64 May 29 11:26:40 Updated: gnome-shell-2.31.2-2.fc14.x86_64 May 29 11:26:42 Updated: link-grammar-4.6.7-3.fc14.x86_64 May 29 11:26:43 Updated: 2:vim-enhanced-7.2.440-1.fc14.x86_64 May 29 11:26:44 Updated: nfs-utils-lib-1.1.5-2.fc14.x86_64 May 29 11:26:45 Updated: linux-atm-libs-2.5.1-1.fc14.x86_64 May 29 11:26:46 Updated: 2:vim-minimal-7.2.440-1.fc14.x86_64 May 29 11:26:49 Updated: webkitgtk-1.3.1-1.fc14.x86_64 May 29 11:26:53 Updated: mousetweaks-2.31.2-1.fc14.x86_64 May 29 11:27:23 Updated: selinux-policy-3.8.1-3.fc14.noarch May 29 11:28:24 Updated: selinux-policy-targeted-3.8.1-3.fc14.noarch May 29 11:28:25 Updated: libdrm-devel-2.4.21-0.1.fc14.x86_64 May 29 11:28:29 Updated: openldap-devel-2.4.22-2.fc14.x86_64 May 29 11:28:35 Updated: orca-2.31.2-1.fc14.x86_64 May 29 11:28:36 Updated: gnome-icon-theme-extras-2.30.1-2.fc14.noarch I assumed that they were related to the selinux-policy* updates. Gene This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping I know there's been a lot of progress on this AVC denial, both at Fedora and upstream. It completely disappeared (I thought) around the time F14 branched. However, it is still possible to generate this denial consistently by clicking on the "Verify Java version" button at http://www.java.com/en/download/installed.jsp. Gene Gene the problem is the jave plugin is being executed within the firefox program causing execstack access to be required. Using the fedora java plugin firefox executes the java program as a separate process. So we can allow firefox to run without execstack privs and only allow java apps to have that priv. With the oracle java plugin we have to allow the firefox program execstack which really means we might as well turn off the check. Unless Oracle java plugin goes back to execing a different process for java apps, I don't see how we can solve this problem. Thanks for the explanation, Dan, it makes perfect sense. I wondered why this AVC denial popped back up after all the other ones disappeared. Gene According to the release notes for Oracle Java SE 6 JRE 1.6.0_10 it should be doing exactly that? Pasting from the release notes: Introduction Java Plug-In technology (hereafter the "Java Plug-In"), which is included in the Java Runtime Environment, enables Java applets to run in popular web browsers on the desktop. The next-generation Java Plug-In, introduced in Java SE 6 Update 10, provides powerful new capabilities to applets in the web browser, while improving the overall reliability and functionality of applets in a backward-compatible manner. The next-generation Java Plug-In offers a completely redesigned architecture. Instead of executing applets in the same operating system process as the web browser, the new plug-in runs one or more Java virtual machine instances ("JVMs") which connect back to the browser for full interoperability with the surrounding web page. This architectural change offers many advantages and enables several new features. * Improved reliability. The JVM running the applet is isolated from the web browser at the operating system level. If something should go wrong while running the applet, or if an uncooperative applet refuses to shut down, the new Java Plug-In detects and handles the error condition gracefully; the web browser is unaffected. In my case it was a x86 system. #setsebool -P allow_execstack 1 Will fix your problem. True I was running the Oracle Java Plugin, latest version .22 I believe it was (not sitting at the F14 install right now thou) Yeap allow_execstach should fix this, only some lusers won't know howto and might get confused about this AVC :) This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. It happens to me when I enable Moonlight 2.3 plugin in browser. I'm using 32bit system. It didn't happen in Fedora 13. I'm not sure if it matters but I've upgraded from Fedora 13 it was not a fresh install. I've noticed some invalid links referencing a missing libgcj-4.4.4.jar file. I've installed the latest libgcj package version and deleted broken libgcj links. Since then, I've not had this AVC issue. *** This bug has been marked as a duplicate of bug 572791 *** Selinux problem with moonlight plugin in Firefox, Fedora 14 32 bit. Turn on the allow_execstack boolean or change label of firefox to execmem_exec_t On Fedora 14 there is no lib32 directory. The right command concerning the solution: chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox' (In reply to comment #20) > On Fedora 14 there is no lib32 directory. The right command concerning the > solution: > > chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox' Laszlo, i tried your fix. let's see if solves it. thx |