Bug 632523
Summary: | firefox segfaults when executed in sandbox without proper selinux context | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Karel Srot <ksrot> | ||||||
Component: | firefox | Assignee: | Martin Stransky <stransky> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Karel Srot <ksrot> | ||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 6.0 | CC: | dwalsh, eparis | ||||||
Target Milestone: | rc | Keywords: | SELinux, Triaged | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-01-16 13:47:08 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 629274 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Thank you for taking the time to report this bug report. Unfortunately, that stack trace is not very useful in determining the cause of the crash, because there are no debugging symbols loaded (probably abrt failed to load them). Unfortunately, we cannot use this backtrace. Unless SELinux guys will see something they should do, closing as INSUFFICIENT_DATA. I can reproduce it as well. It's not an selinux policy bug if firefox segfaults. I'm not sure how to collect the core though.... It most likely is happening when firefox attempts to connect to the network. Since this is the biggest difference between sandbox_web_t and sandbox_t. If you run sandbox -X firefox it is launched as sandbox_t and has NO network access, all connect calls will get permission denied. (In reply to comment #3) > It most likely is happening when firefox attempts to connect to the network. > Since this is the biggest difference between sandbox_web_t and sandbox_t. > > If you run sandbox -X firefox it is launched as sandbox_t and has NO network > access, all connect calls will get permission denied. This is what we are talking about, right? Souhrn: SELinux is preventing /usr/bin/setarch "module_request" access on <Unknown>. Podrobný popis: [linux32 je v toleratním režimu (sandbox_x_client_t). Přístup byl povolen.] SELinux denied access requested by linux32. The current boolean settings do not allow this access. If you have not setup linux32 to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Povolení přístupu: Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean domain_kernel_load_modules is set incorrectly. Boolean Description: Allow all domains to have the kernel load modules Příkaz pro opravu: # setsebool -P domain_kernel_load_modules 1 Další informace: Kontext zdroje unconfined_u:unconfined_r:sandbox_x_client_t:s0:c8 66,c883 Kontext cíle system_u:system_r:kernel_t:s0 Objekty cíle None [ system ] Zdroj linux32 Cesta zdroje /usr/bin/setarch Port <Neznámé> Počítač jakoubek.ceplovi.cz RPM balíčky zdroje util-linux-ng-2.18-4.fc14 RPM balíčky cíle RPM politiky selinux-policy-3.9.3-1.fc14 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název zásuvného modulu catchall_boolean Název počítače jakoubek.ceplovi.cz Platforma Linux jakoubek.ceplovi.cz 2.6.35.4-12.fc14.x86_64 #1 SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64 Počet upozornění 10 Poprvé viděno Po 13. září 2010, 21:14:07 CEST Naposledy viděno Po 13. září 2010, 21:14:09 CEST Místní ID ffd34321-0cb7-45e8-ab08-2e0b23ad8853 Čísla řádků Původní zprávy auditu node=jakoubek.ceplovi.cz type=AVC msg=audit(1284405249.703:345): avc: denied { module_request } for pid=32403 comm="linux32" kmod="personality-8" scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c866,c883 tcontext=system_u:system_r:kernel_t:s0 tclass=system node=jakoubek.ceplovi.cz type=SYSCALL msg=audit(1284405249.703:345): arch=c000003e syscall=135 per=8 success=yes exit=0 a0=8 a1=2 a2=0 a3=0 items=0 ppid=32402 pid=32403 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="linux32" exe="/usr/bin/setarch" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c866,c883 key=(null) Created attachment 447021 [details]
backtrace from F14
Managed to generate a backtrace on F14.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release. Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. We're not going to fix this issue, the fix would be rather intrusive and Firefox has to shutdown anyway. This is a null-pointer crash which is relatively safe. |
Created attachment 446461 [details] abrt crash info Description of problem: I know this is a bit obscure situation,... firefox segfaults when executed in sandbox without proper selinux context. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. yum install policycoreutils-sandbox 2. sandbox -X /usr/lib64/firefox-3.6/firefox Actual results: $ sandbox -X /usr/lib64/firefox-3.6/firefox /home/ksrot/.sandboxrc: line 6: 7505 Segmentation fault (core dumped) dbus-launch --exit-with-session /usr/lib64/firefox-3.6/firefox Hangup Expected results: graceful exit? Additional info: see attached file