Bug 745062

Summary: Firefox needs execmem
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: carlg, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-13 14:38:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2011-10-11 10:30:08 UTC 
Description of problem:
On a system with allow_execmem disabled, firefox will not start.  No error message appears if started in a terminal window, but several AVC:s about execmem denials are reported

Version-Release number of selected component (if applicable):
firefox-7.0.1-1.fc16.x86_64
selinux-policy-targeted-3.10.0-38.fc16.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Start firefox
  
Actual results:
Nothing comes up.

Expected results:
A firefox window should appear.

Additional info:
This is an F16 version of bug 714425.

Doing

chcon -t execmem_exec_t /usr/lib64/firefox/firefox

is a possible workaround.  (But firefox has a special mozilla_exec_t type initially, so maybe this isn't the right solution to implement in the policy.)

Asking ausearch immediately afterwards, there is a total of 12 AVC denials.  They look the same, so I only include the first:

time->Tue Oct 11 12:19:43 2011
type=SYSCALL msg=audit(1318328383.755:12731): arch=c000003e syscall=9 success=no
 exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=27207 pid=30887 auid=503 uid=503
 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts4 ses=19
63 comm="firefox" exe="/usr/lib64/firefox/firefox" subj=unconfined_u:unconfined_
r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318328383.755:12731): avc:  denied  { execmem } for  pid=308
87 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
Comment 1 Daniel Walsh 2011-10-11 17:04:43 UTC 
This is why these checks are becoming useless.  As more an more domains need execmem for script execution.
Comment 2 Carl G. 2011-11-13 14:38:07 UTC 
I'm going to close this bug report as a dupe of 752087

*** This bug has been marked as a duplicate of bug 752087 ***