Description of problem: SELinux is preventing firefox(/usr/lib/firefox-3.0b3pre/firefox) from making the program stack executable. Summary: SELinux is preventing firefox(/usr/lib/firefox-3.0b3pre/firefox) from making the program stack executable. Detailed Description: The firefox(/usr/lib/firefox-3.0b3pre/firefox) application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox(/usr/lib/firefox-3.0b3pre/firefox) does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox(/usr/lib/firefox-3.0b3pre/firefox) to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t firefox(/usr/lib/firefox-3.0b3pre/firefox)" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t firefox(/usr/lib/firefox-3.0b3pre/firefox)" The following command will allow this access: chcon -t unconfined_execmem_exec_t firefox(/usr/lib/firefox-3.0b3pre/firefox) Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source firefox(/usr/lib/firefox-3.0b3pre/firefox) Port <Unknown> Host cirithungol Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.2.5-18.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name cirithungol Platform Linux cirithungol 2.6.24-0.167.rc8.git4.fc9 #1 SMP Tue Jan 22 23:19:19 EST 2008 i686 i686 Alert Count 4 First Seen Thu 24 Jan 2008 07:36:22 PM PST Last Seen Thu 24 Jan 2008 07:43:28 PM PST Local ID 7cb771ec-3b41-42a4-a87c-dd4a0045120a Line Numbers Raw Audit Messages host=cirithungol type=AVC msg=audit(1201232608.618:45): avc: denied { execstack } for pid=4601 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=cirithungol type=SYSCALL msg=audit(1201232608.618:45): arch=40000003 syscall=125 success=no exit=-13 a0=bff2a000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3872 pid=4601 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="firefox" exe="/usr/lib/firefox-3.0b3pre/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): - rpm -q firefox selinux-policy-targeted firefox-3.0-0.beta2.12.nightly20080121.fc9.i386 selinux-policy-targeted-3.2.5-18.fc9.noarch How reproducible: consistently Steps to Reproduce: 1. navigate to a new extension .xpi link, click link https://addons.mozilla.org/en-US/firefox/addon/722 2. allow site to install extension (notification bar) 3. avc denial occurs as install extension window opens
Ok it could be flash's fault: LoadPlugin: failed to initialize shared library /home/lordmorgul/.mozilla/plugins/libflashplayer.so [/home/lordmorgul/.mozilla/plugins/libflashplayer.so: cannot enable executable stack as shared object requires: Permission denied] Noticed bug# 215424 and this may be the same issue though, since a totem realplayer plugin is also installed.
Ok, removed totem-mozplugin and it no longer shows up in the list, flash still causes the same denial. Shockwave Flash File name: nswrapper_32_32.libswfdecmozilla.so Shockwave Flash 9.0 r100
Could you remove the flash in your /home directory and reinstall with "Yum option" (according to http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash) from the proper Adobe repository? Does it help? I am not sure how much SELinux likes programs in /home. Dan?
-> ls -al /home/lordmorgul/.mozilla/plugins -rw-r----- 1 lordmorgul lordmorgul 856 2005-05-16 01:02 flashplayer.xpt -rwxr-x--- 1 lordmorgul lordmorgul 2096844 2005-05-16 01:02 libflashplayer.so Wow.. sorry my mistake. That is an old flash lib. This is a home thats migrated since RHL (through many rawhide cycles) but I try to make sure this sort of thing is cleaned before reporting something like this, and I migrate as little as possible. For some reason this file just started taking loading precedence, maybe because I changed firefox profiles around. (I did have system wide flash installed, but I just refreshed it, removed the home file, and it all works) I'm sure selinux was doing exactly what it should have been doing here.