Bug 292061 - Firefox warning after install sun java 1.6u2 jre
Firefox warning after install sun java 1.6u2 jre
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
8
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Christopher Aillon
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-15 09:47 EDT by Stefan Sonnenberg-Carstens
Modified: 2008-08-02 19:40 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-18 07:23:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Sonnenberg-Carstens 2007-09-15 09:47:21 EDT
After installing original sun java 1.6u2 from java.com,
selinux warns about firefox trying to make memory executable:

Zusammenfassung
    SELinux hindert /usr/lib/firefox-2.0.0.6/firefox-bin daran, den Programm-
    Stack ausführbar zu machen.

Detaillierte Beschreibung
    Die Anwendung /usr/lib/firefox-2.0.0.6/firefox-bin versuchte, den Stack
    ausführbar zu machen. Dies ist ein mögliches Sicherheitsproblem. Dies
    sollte niemals nötig sein. Der Stapelspeicher ist heutzutage bei den
    meisten Betriebssystemen nicht ausführbar, was sich auch nicht ändern
    wird. Ausführbarer Stapelspeicher ist eines der größten
    Sicherheitsprobleme. Ein execstack-Fehler könnte sehr wahrscheinlich auch
    von bösartigem Code stammen. Anwendungen sind manchmal fehlerhaft
    programmiert und erfordern diese Erlaubnis. Die Webseite
    http://people.redhat.com/drepper/selinux-mem.html erklärt, wie diese
    Anforderung entfernt werden kann.  Falls /usr/lib/firefox-2.0.0.6/firefox-
    bin nicht funktioniert, Sie dies jedoch benötigen, können Sie SELinux
    temporär so konfigurieren, dass der Zugriff bis zur Korrektur der Anwendung
    erlaubt wird. Bitte reichen Sie einen
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi für dieses Paket ein.

Zugriff erlauben
    Sometimes a library is accidentally marked with the execstack flag, if you
    find a library with this flag you can clear it with the execstack -c
    LIBRARY_PATH.  Then retry your application.  If the app continues to not
    work, you can turn the flack back on with execstac -s LIBRARY_PATH.
    Otherwise, if you trust /usr/lib/firefox-2.0.0.6/firefox-bin to run
    correctly, you can change the context of the executable to
    unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
    /usr/lib/firefox-2.0.0.6/firefox-bin" You must also change the default file
    context files on the system in order to preserve them even on a full
    relabel.  "semanage fcontext -a -t unconfined_execmem_exec_t
    /usr/lib/firefox-2.0.0.6/firefox-bin"

    Folgender Befehl erlaubt diesen Zugriff:
    chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin

Zusätzliche Informationen    

Quellkontext                  system_u:system_r:unconfined_t:s0
Zielkontext                   system_u:system_r:unconfined_t:s0
Zielobjekte                   None [ process ]
Betroffene RPM-Pakete         firefox-2.0.0.6-8.fc8 [application]
RPM-Richtlinie                selinux-policy-3.0.7-10.fc8
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   plugins.allow_execstack
Hostname                      nx6310.home.lan
Plattform                     Linux nx6310.home.lan 2.6.23-0.181.rc6.git4.fc8 #1
                              SMP Thu Sep 13 18:52:33 EDT 2007 i686 i686
Anzahl der Alarme             4
First Seen                    Sa 15 Sep 2007 15:34:00 CEST
Last Seen                     Sa 15 Sep 2007 15:34:24 CEST
Local ID                      c87b6000-6595-4ffe-85ed-9bbe33f2f1b5
Zeilennummern                 

Raw-Audit-Meldungen           

avc: denied { execstack } for comm=firefox-bin egid=500 euid=500
exe=/usr/lib/firefox-2.0.0.6/firefox-bin exit=-13 fsgid=500 fsuid=500 gid=500
items=0 pid=2569 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500

FIX:
chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin
Comment 1 Daniel Walsh 2007-09-17 15:13:11 EDT
This looks like firefox is not execing java, but actually has java builtin?
Comment 2 Ulrich Drepper 2007-09-17 17:36:19 EDT
This is the Java plugin.  It simply is built incorrectly, it requires an
executable stack, it seems.  The only other way is that the firefox-bin binary
has been changed.

Stefan, do the following:

What is the output of

  ldd /usr/lib/firefox-2.0.0.6/firefox-bin | awk '/=>/ { print $3}'|while read
n; do echo $n; eu-readelf -l $n|fgrep STACK; done


If none of the lines end with something like

    ... RWX 0x04

then do the following:

- track down what the Java plugins is.  You can look through the files installed
by this java package you downloaded

or

  1. start firefox on the command line with

          LD_DEBUG=libs,files LD_DEBUG_OUTPUT=/tmp/fflog firefox

  2. look through the various created /tmp/fflog.XXXX files which are created.
     The one with the highest number is likely the one corresponding to the
     firefox process.  In any case, you can recognize it by the program
     name being firefox-bin

Once you know the plugin's name, run

  eu-readelf -l /the/plugin | grep STACK

and show the result.
Comment 3 Matěj Cepl 2007-11-14 10:09:41 EST
Reporter, could you please reply to the previous question? If you won't reply in
one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.
Comment 4 Matěj Cepl 2008-01-18 07:23:07 EST
Since there are insufficient details provided in this report for us to
investigate the issue further, and we have not received feedback to the
information we have requested above, we will assume the problem was not
reproducible, or has been fixed in one of the updates we have released for the
reporter's distribution.

Users who have experienced this problem are encouraged to upgrade to the latest
update of their distribution, and if this issue turns out to still be
reproducible in the latest update, please reopen this bug with additional
information.

Closing as INSUFFICIENT_DATA.

Note You need to log in before you can comment on or make changes to this bug.