Bug 304421 - SE Linux warning
SE Linux warning
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
7
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Christopher Aillon
Fedora Extras Quality Assurance
pleaForReproductionFF3
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-24 23:34 EDT by Austin
Modified: 2008-02-28 10:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-28 10:02:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Additional information from the SE Troubleshooter browser (1.13 KB, text/plain)
2007-09-24 23:34 EDT, Austin
no flags Details
selinux description of requested bug report on firefox (12.20 KB, application/vnd.oasis.opendocument.text)
2007-09-26 18:03 EDT, jerry stutte
no flags Details

  None (edit)
Description Austin 2007-09-24 23:34:57 EDT
Description of problem:
SELinux is preventing /usr/local/firefox/firefox-bin from loading
/usr/local/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so
which requires text relocation.

Version-Release number of selected component (if applicable):
2.0.0.6

How reproducible:
Everytime I start firefox.

Steps to Reproduce:
1. Load firefox (either from CLI, or the "Web Browser" button on the "task bar"
2. Wait for it to load, and observe the yellow Star show up in the status bar
(clock, updates available, etc)
3. Open SE Trouble shoot browser and read the warning.
  
Actual results:
The above

Expected results:
For this warning not to happen.

Additional info:
The /usr/local/firefox/firefox-bin application attempted to load
/usr/local/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests web page
explains how to remove this requirement. You can configure SELinux temporarily
to allow
/usr/local/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so
to use relocation as a workaround, until the library is fixed. Please file a bug
report against this package.

Allowing Access
===============
If you trust
/usr/local/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so
to run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
/usr/local/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so"The
following command will allow this access:chcon -t textrel_shlib_t
/usr/local/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so
Comment 1 Austin 2007-09-24 23:34:57 EDT
Created attachment 204791 [details]
Additional information from the SE Troubleshooter browser
Comment 2 jerry stutte 2007-09-26 18:03:21 EDT
Created attachment 207691 [details]
selinux description of requested bug report on firefox

First occurence was noticed post install of fc7, install was followed by 
firefox install and kernel update.

SELinux reported the incident while installing google earth


Similiar problem,

SELinux is preventing /usr/lib/firefox-2.0.0.5/firefox-bin from loading
/usr/lib/firefox-2.0.0.5/plugins/nppdf.so which requires text relocation.

Detailed DescriptionThe /usr/lib/firefox-2.0.0.5/firefox-bin application
attempted to load /usr/lib/firefox-2.0.0.5/plugins/nppdf.so which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. 

This SELinux trouble shooter report is very similiar to Bug 304421

Q applying the temporary fix/work around suggested by SELinux trouble shooter,
what is the probability of a security breach, until the lib's text relocation 
code is addressed.

Please file a bug report against this package.	Allowing Access If you trust
/usr/lib/firefox-2.0.0.5/plugins/nppdf.so to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
/usr/lib/firefox-2.0.0.5/plugins/nppdf.so"The following command will allow this
access:chcon -t textrel_shlib_t /usr/lib/firefox-2.0.0.5/plugins/nppdf.so
Comment 3 Matěj Cepl 2008-02-21 17:35:12 EST
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 4 Matěj Cepl 2008-02-21 17:36:34 EST
At this point, we're going to only be taking security fixes and major stability
fixes into this release of Fedora.  However, we still want to ensure the bug is
fixed in the next version.  We'd appreciate if you could test Firefox 3,
available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping
as the default in Fedora rawhide and provide feedback as to whether it still
exists so we can file a ticket upstream to try to fix it in Firefox 3 before it
is released.
Comment 5 Austin 2008-02-27 23:02:04 EST
I've tried out Firefox 3 beta 3 and it does not appear to generate any SE Linux
alerts. At least none appeared to be logged in var log messages.
Comment 6 Matěj Cepl 2008-02-28 10:02:36 EST
Thanks for letting us know.

Note You need to log in before you can comment on or make changes to this bug.