Bug 430218 - Firefox triggers AVC denial for exec stack when installing extensions
Firefox triggers AVC denial for exec stack when installing extensions
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-01-25 06:51 EST by Andrew Farris
Modified: 2008-01-25 19:01 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-25 19:01:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andrew Farris 2008-01-25 06:51:08 EST
Description of problem:
SELinux is preventing firefox(/usr/lib/firefox-3.0b3pre/firefox) from making the
program stack executable.


SELinux is preventing firefox(/usr/lib/firefox-3.0b3pre/firefox) from making the
program stack executable.

Detailed Description:

The firefox(/usr/lib/firefox-3.0b3pre/firefox) application attempted to make its
stack executable. This is a potential security problem. This should never ever
be necessary. Stack memory is not executable on most OSes these days and this
will not change. Executable stack memory is one of the biggest security
problems. An execstack error might in fact be most likely raised by malicious
code. Applications are sometimes coded incorrectly and request this permission.
The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox(/usr/lib/firefox-3.0b3pre/firefox) does not
work and you need it to work, you can configure SELinux temporarily to allow
this access until the application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
firefox(/usr/lib/firefox-3.0b3pre/firefox) to run correctly, you can change the
context of the executable to unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t firefox(/usr/lib/firefox-3.0b3pre/firefox)" You must
also change the default file context files on the system in order to preserve
them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t

The following command will allow this access:

chcon -t unconfined_execmem_exec_t firefox(/usr/lib/firefox-3.0b3pre/firefox)

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Objects                None [ process ]
Source                        firefox(/usr/lib/firefox-3.0b3pre/firefox)
Port                          <Unknown>
Host                          cirithungol
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-18.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     cirithungol
Platform                      Linux cirithungol 2.6.24-0.167.rc8.git4.fc9 #1 SMP
                              Tue Jan 22 23:19:19 EST 2008 i686 i686
Alert Count                   4
First Seen                    Thu 24 Jan 2008 07:36:22 PM PST
Last Seen                     Thu 24 Jan 2008 07:43:28 PM PST
Local ID                      7cb771ec-3b41-42a4-a87c-dd4a0045120a
Line Numbers                  

Raw Audit Messages            

host=cirithungol type=AVC msg=audit(1201232608.618:45): avc:  denied  {
execstack } for  pid=4601 comm="firefox"
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=cirithungol type=SYSCALL msg=audit(1201232608.618:45): arch=40000003
syscall=125 success=no exit=-13 a0=bff2a000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=3872 pid=4601 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=pts1 comm="firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
 - rpm -q firefox selinux-policy-targeted

How reproducible:

Steps to Reproduce:
1. navigate to a new extension .xpi link, click link
2. allow site to install extension (notification bar)
3. avc denial occurs as install extension window opens
Comment 1 Andrew Farris 2008-01-25 07:04:15 EST
Ok it could be flash's fault:

LoadPlugin: failed to initialize shared library
[/home/lordmorgul/.mozilla/plugins/libflashplayer.so: cannot enable executable
stack as shared object requires: Permission denied]

Noticed bug# 215424 and this may be the same issue though, since a totem
realplayer plugin is also installed.
Comment 2 Andrew Farris 2008-01-25 07:08:09 EST
Ok, removed totem-mozplugin and it no longer shows up in the list, flash still
causes the same denial.

Shockwave Flash

    File name: nswrapper_32_32.libswfdecmozilla.so
    Shockwave Flash 9.0 r100
Comment 3 Matěj Cepl 2008-01-25 07:16:06 EST
Could you remove the flash in your /home directory and reinstall with "Yum
option" (according to
from the proper Adobe repository? Does it help? I am not sure how much SELinux
likes programs in /home.

Comment 4 Andrew Farris 2008-01-25 19:01:07 EST
 -> ls -al /home/lordmorgul/.mozilla/plugins
-rw-r----- 1 lordmorgul lordmorgul     856 2005-05-16 01:02 flashplayer.xpt
-rwxr-x--- 1 lordmorgul lordmorgul 2096844 2005-05-16 01:02 libflashplayer.so

Wow.. sorry my mistake.  That is an old flash lib.  This is a home thats
migrated since RHL (through many rawhide cycles) but I try to make sure this
sort of thing is cleaned before reporting something like this, and I migrate as
little as possible.  For some reason this file just started taking loading
precedence, maybe because I changed firefox profiles around. (I did have system
wide flash installed, but I just refreshed it, removed the home file, and it all

I'm sure selinux was doing exactly what it should have been doing here.

Note You need to log in before you can comment on or make changes to this bug.