Description of problem: Running targeted/enforcing, logging in to fedora bugzilla or gmail causes firefox to generate SELinux execstack AVCs: type=AVC msg=audit(1163454858.017:40): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454858.017:40): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163454858.018:41): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454858.018:41): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163454860.483:42): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454860.483:42): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163454860.483:43): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454860.483:43): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163454860.488:44): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454860.488:44): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163454860.488:45): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454860.488:45): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163454860.497:46): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454860.497:46): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163454860.498:47): avc: denied { execstack } for pid=4123 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163454860.498:47): arch=40000003 syscall=125 success=no exit=-13 a0=bfa1b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4123 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) Version-Release number of selected component (if applicable): firefox-2.0-2.fc7 How reproducible: every time Steps to Reproduce: 1. start firefox 2. browse to mail.google.com or bugzilla.redhat.com, login 3. check /var/log/audit/audit.log Actual results: Expected results: Additional info:
Please do this: 1) Go to "about:plugins" in your browser. 2) Copy and paste that into a text file. 3) Attach that text file in this bug.
Created attachment 141115 [details] Output of 'about:plugins'
Do the AVC's go away if you remove flash plugin? You are using an ancient version of flash-plugin, which may be Bug #155230. Upgrade to 7.0.68 for the execstack problem specifically. Text relocations can also cause AVC's in Bug #189622. This is fixed in Adobe's Flash 9 beta http://labs.adobe.com/technologies/flashplayer9/
Updated flash to 7.0.68. No joy. Still get the following logging in to gmail: type=AVC msg=audit(1163457824.500:70): avc: denied { execstack } for pid=4415 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163457824.500:70): arch=40000003 syscall=125 success=no exit=-13 a0=bf92d000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4415 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163457824.500:71): avc: denied { execstack } for pid=4415 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163457824.500:71): arch=40000003 syscall=125 success=no exit=-13 a0=bf92d000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4415 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) Will try beta 9.
No luck with beta 9. Still get: type=AVC msg=audit(1163458160.984:78): avc: denied { execstack } for pid=4508 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163458160.984:78): arch=40000003 syscall=125 success=no exit=-13 a0=bf8ab000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4508 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163458160.985:79): avc: denied { execstack } for pid=4508 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163458160.985:79): arch=40000003 syscall=125 success=no exit=-13 a0=bf8ab000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4508 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) Here is the flash section of 'about:plugins': Shockwave Flash File name: libflashplayer.so Shockwave Flash 9.0 d55 MIME Type Description Suffixes Enabled application/x-shockwave-flash Shockwave Flash swf Yes application/futuresplash FutureSplash Player spl Yes
Should have done this first: removed flash player altogether and still get them: type=AVC msg=audit(1163459280.967:88): avc: denied { execstack } for pid=4601 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163459280.967:88): arch=40000003 syscall=125 success=no exit=-13 a0=bfc17000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4601 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163459280.968:89): avc: denied { execstack } for pid=4601 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163459280.968:89): arch=40000003 syscall=125 success=no exit=-13 a0=bfc17000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=4601 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null)
Thanks for the thorough testing. This is definitely indicative of a regression in rawhide firefox itself.
I am not seeing this on i386. So this might be platform specific.
Hmmm. I am seeing this on i386. Could this be caused by an add-on? Other plugin?
I think I tracked this down: RealPlayer plugin is the villain: Starting firefox with '-safe-mode' and entering 'about:plugins' produces the AVCs. When this occurs, the following gets printed on the console window: LoadPlugin: failed to initialize shared library /usr/local/RealPlayer/mozilla/nphelix.so [/usr/local/RealPlayer/mozilla/nphelix.so: cannot enable executable stack as shared object requires: Permission denied] Removing this plugin makes the problem go away. Sorry for the false alarm.....