Hide Forgot
Description of problem: Every once in a while, selinux and firefox do not play nice to each other. Summary: SELinux is preventing firefox from making the program stack executable. Detailed Description: The firefox application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox'" The following command will allow this access: chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects None [ process ] Source firefox Source Path /usr/lib/firefox-3.0b3pre/firefox Port <Unknown> Host localhost Source RPM Packages firefox-3.0-0.beta2.16.nightly20080206.fc9 Target RPM Packages Policy RPM selinux-policy-3.2.7-1.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name localhost Platform Linux localhost 2.6.24-23.fc9 #1 SMP Wed Feb 6 11:36:31 EST 2008 i686 athlon Alert Count 11 First Seen Fri 01 Feb 2008 05:08:54 PM CST Last Seen Sat 09 Feb 2008 12:35:06 PM CST Local ID c4806f30-a6dc-43b0-8901-5531075795f7 Line Numbers Raw Audit Messages host=localhost type=AVC msg=audit(1202582106.621:28): avc: denied { execstack } for pid=9246 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=localhost type=SYSCALL msg=audit(1202582106.621:28): arch=40000003 syscall=125 success=no exit=-13 a0=bfa71000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=9232 pid=9246 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox" exe="/usr/lib/firefox-3.0b4pre/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): firefox-3.0-0.beta2.16.nightly20080206.fc9 and selinux-policy-3.2.7-1.fc9 How reproducible: Steps to Reproduce: 1. Launch Firefox 2. wait for setroubleshoot to start shooting denied avcs 3. find the one for firefox and exec stack Actual results: Expected results: For firefox and selinux to play nice with each other. Additional info: Upon request
Need to look at your plugins and make sure you're loading the correct versions you expect to be (for instance an old flash lib .so in your ~/.mozilla somewhere could be getting loaded... one that needs executable stack. I do not see this happening with those versions and I do not have it permitted. Firefox should not be allowed to do that.
OK, I am not sure that firefox is that blameless, but certainly we would need you to move your ~/.mozilla folder somewhere else or rename it and then start firefox again -- does the problem appears again? Also, if it is possible for you -- could you download firefox 3 beta 2 from the upstream (http://www.mozilla.com/en-US/firefox/all-beta.html) and then tell us whether you are able to reproduce it with that as well?
Yes, I have done as you suggested, still selinux still does the same thing :( I tried 2-3 hours ago to post my findings, but CPU ran wild up to 99% and I had to close it :( Here's what happened Script started on Mon 11 Feb 2008 04:06:08 PM CST ]0;olivares@localhost:~[?1034h[olivares@localhost ~]$ rm -r[K[K[K[K[Kcp !~[K[K~/.mozilla//[K* ~/.mozilla/[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[Kmkdir .mozilla/[K2 ]0;olivares@localhost:~[olivares@localhost ~]$ cp !~[K[K~[K~/.mozilla//[K* ~![K[K~/.mozilla2/ cp: omitting directory `/home/olivares/.mozilla/default' cp: omitting directory `/home/olivares/.mozilla/extensions' cp: omitting directory `/home/olivares/.mozilla/firefox' cp: omitting directory `/home/olivares/.mozilla/plugins' ]0;olivares@localhost:~[olivares@localhost ~]$ cp ~/.mozilla/* ~/.mozilla2/[C[C[1@-[1@r[1@a[1@ [C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C ]0;olivares@localhost:~[olivares@localhost ~]$ cd .mozilla2/ ]0;olivares@localhost:~/.mozilla2[olivares@localhost .mozilla2]$ ls [00m[00mappreg[00m [00;34mextensions[00m [00mmozver.dat[00m [00mmplayerplug-in.types[00m [00;34mplugins[00m [00;34mdefault[00m [00;34mfirefox[00m [00mmplayerplug-in.conf[00m [00mpluginreg.dat[00m [m]0;olivares@localhost:~/.mozilla2[olivares@localhost .mozilla2]$ cd .. ]0;olivares@localhost:~[olivares@localhost ~]$ ls [00m[00;32malarm[00m [00mgdmversion.txt[00m [00;34mPictures[00m [00malarm~[00m [00mgnome-mount-bugreport2.txt[00m [00;34mPublic[00m [00;32malarm2[00m [00mgnome-mount-bugreport.txt[00m [00mselinux_alert-20071111-1.txt[00m [00maltahif[00m [00;34mlib[00m [00mselinux_alert-20071111-2.txt[00m [00;34mbin[00m [00mlivecd-fedora.pdf[00m [00mselinux_alert-20071111-3.txt[00m [00mbugbuddy1.txt[00m [00mmaxout.gnuplot[00m [00;34mshare[00m [00mbugbuddy1.txt~[00m [00mmaxout.gnuplot_pipes[00m [00;34mSoccer[00m [00mcannotstartx.txt[00m [00mmbox[00m [00;34mTemplates[00m [00;34mDesktop[00m [00;34mMusic[00m [00mtestgdm1.txt[00m [00;34mDocuments[00m [00mnautilus-debug-log.txt[00m [00;34mtmp[00m [00;34mDownloads[00m [00mnokde-1.txt[00m [00;34mVideos[00m [m]0;olivares@localhost:~[olivares@localhost ~]$ exit exit Script done on Mon 11 Feb 2008 04:07:49 PM CST top - 16:13:25 up 1:39, 2 users, load average: 1.07, 0.71, 0.37 Tasks: 126 total, 2 running, 124 sleeping, 0 stopped, 0 zombie Cpu(s): 93.1%us, 6.2%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st Mem: 767516k total, 690100k used, 77416k free, 20912k buffers Swap: 3114416k total, 0k used, 3114416k free, 348420k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3167 olivares 20 0 184m 68m 25m R 85.0 9.1 1:03.99 firefox 2368 root 20 0 188m 25m 9408 S 6.3 3.4 3:28.46 Xorg 3199 olivares 20 0 46452 16m 10m S 2.6 2.2 0:00.37 gnome-terminal 2703 olivares 20 0 19372 2780 1940 S 1.3 0.4 0:04.48 gnome-screensav 2684 olivares 20 0 14840 4560 3756 S 1.0 0.6 0:22.47 at-spi-registry 2724 olivares 20 0 25228 12m 8608 S 1.0 1.6 0:58.77 gkrellm 3238 olivares 20 0 2384 1044 820 R 0.7 0.1 0:00.13 top 488 root 15 -5 0 0 0 S 0.3 0.0 0:01.22 scsi_eh_1 2719 olivares 20 0 25416 13m 9160 S 0.3 1.8 0:04.07 metacity 2770 olivares 20 0 68668 30m 16m S 0.3 4.0 0:03.10 /usr/bin/sealer 3192 olivares 20 0 55908 20m 13m S 0.3 2.7 0:04.47 gedit 1 root 20 0 2224 664 576 S 0.0 0.1 0:02.34 init 2 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 kthreadd 3 root RT -5 0 0 0 S 0.0 0.0 0:00.00 migration/0 4 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0 5 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/0 6 root 15 -5 0 0 0 S 0.0 0.0 0:00.06 events/0 top - 16:13:25 up 1:39, 2 users, load average: 1.07, 0.71, 0.37 Tasks: 126 total, 2 running, 124 sleeping, 0 stopped, 0 zombie Cpu(s): 93.1%us, 6.2%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st Mem: 767516k total, 690100k used, 77416k free, 20912k buffers Swap: 3114416k total, 0k used, 3114416k free, 348420k cached Summary: SELinux is preventing firefox from making the program stack executable. Detailed Description: The firefox application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox'" The following command will allow this access: chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects None [ process ] Source firefox Source Path /usr/lib/firefox-3.0b3pre/firefox Port <Unknown> Host localhost Source RPM Packages firefox-3.0-0.beta2.18.nightly20080210.fc9 Target RPM Packages Policy RPM selinux-policy-3.2.7-1.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name localhost Platform Linux localhost 2.6.24.1-28.fc9 #1 SMP Sun Feb 10 17:27:37 EST 2008 i686 athlon Alert Count 29 First Seen Fri 01 Feb 2008 05:08:54 PM CST Last Seen Mon 11 Feb 2008 04:10:35 PM CST Local ID c4806f30-a6dc-43b0-8901-5531075795f7 Line Numbers Raw Audit Messages host=localhost type=AVC msg=audit(1202767835.617:27): avc: denied { execstack } for pid=3167 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=localhost type=SYSCALL msg=audit(1202767835.617:27): arch=40000003 syscall=125 success=no exit=-13 a0=bf828000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3153 pid=3167 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox" exe="/usr/lib/firefox-3.0b4pre/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) BTW, this selinux stack exec in firefox, is joined now by the one in seamonkey :(
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Reporter, are you able to reproduce this issue with the latest package from your distribution?
Well apparently the package of firefox has been replaced by minefield again, with firefox 3.1 or 3.2b1 or something like that. I have not seen this problem for a while now, so I can't complain.