Bug 432198 - firefox and selinux exec stack
firefox and selinux exec stack
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-09 13:44 EST by Antonio A. Olivares
Modified: 2008-12-24 06:23 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-24 06:23:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Antonio A. Olivares 2008-02-09 13:44:20 EST
Description of problem:
Every once in a while, selinux and firefox do not play nice to each other.  


Summary:

SELinux is preventing firefox from making the program stack executable.

Detailed Description:

The firefox application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If firefox does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b4pre/firefox'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b4pre/firefox'"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.0b3pre/firefox
Port                          <Unknown>
Host                          localhost
Source RPM Packages           firefox-3.0-0.beta2.16.nightly20080206.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.7-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     localhost
Platform                      Linux localhost 2.6.24-23.fc9 #1 SMP Wed Feb 6
                              11:36:31 EST 2008 i686 athlon
Alert Count                   11
First Seen                    Fri 01 Feb 2008 05:08:54 PM CST
Last Seen                     Sat 09 Feb 2008 12:35:06 PM CST
Local ID                      c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1202582106.621:28): avc:  denied  { execstack
} for  pid=9246 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=localhost type=SYSCALL msg=audit(1202582106.621:28): arch=40000003
syscall=125 success=no exit=-13 a0=bfa71000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=9232 pid=9246 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
exe="/usr/lib/firefox-3.0b4pre/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)




Version-Release number of selected component (if applicable):
firefox-3.0-0.beta2.16.nightly20080206.fc9 and selinux-policy-3.2.7-1.fc9

How reproducible:


Steps to Reproduce:
1. Launch Firefox
2. wait for setroubleshoot to start shooting denied avcs
3. find the one for firefox and exec stack 
  
Actual results:


Expected results:
For firefox and selinux to play nice with each other.  

Additional info:
Upon request
Comment 1 Andrew Farris 2008-02-09 17:32:17 EST
Need to look at your plugins and make sure you're loading the correct versions you expect to be (for 
instance an old flash lib .so in your ~/.mozilla somewhere could be getting loaded... one that needs 
executable stack.  I do not see this happening with those versions and I do not have it permitted.  Firefox 
should not be allowed to do that.
Comment 2 Matěj Cepl 2008-02-11 16:56:10 EST
OK, I am not sure that firefox is that blameless, but certainly we would need
you to move your ~/.mozilla folder somewhere else or rename it and then start
firefox again -- does the problem appears again?

Also, if it is possible for you -- could you download firefox 3 beta 2 from the
upstream (http://www.mozilla.com/en-US/firefox/all-beta.html) and then tell us
whether you are able to reproduce it with that as well?
Comment 3 Antonio A. Olivares 2008-02-11 19:45:27 EST
Yes, I have done as you suggested, still selinux still does the same thing :(

I tried 2-3 hours ago to post my findings, but CPU ran wild up to 99% and I had
to  close it :(

Here's what happened 

Script started on Mon 11 Feb 2008 04:06:08 PM CST
]0;olivares@localhost:~[?1034h[olivares@localhost ~]$ rm -r[K[K[K[K[Kcp
!~[K[K~/.mozilla//[K* ~/.mozilla/[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[Kmkdir
.mozilla/[K2

]0;olivares@localhost:~[olivares@localhost ~]$ cp
!~[K[K~[K~/.mozilla//[K* ~![K[K~/.mozilla2/

cp: omitting directory `/home/olivares/.mozilla/default'

cp: omitting directory `/home/olivares/.mozilla/extensions'

cp: omitting directory `/home/olivares/.mozilla/firefox'

cp: omitting directory `/home/olivares/.mozilla/plugins'

]0;olivares@localhost:~[olivares@localhost ~]$ cp ~/.mozilla/* ~/.mozilla2/[C[C[1@-[1@r[1@a[1@
[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C

]0;olivares@localhost:~[olivares@localhost ~]$ cd .mozilla2/

]0;olivares@localhost:~/.mozilla2[olivares@localhost .mozilla2]$ ls

[00m[00mappreg[00m   [00;34mextensions[00m  [00mmozver.dat[00m      
    [00mmplayerplug-in.types[00m  [00;34mplugins[00m

[00;34mdefault[00m  [00;34mfirefox[00m     [00mmplayerplug-in.conf[00m
 [00mpluginreg.dat[00m

[m]0;olivares@localhost:~/.mozilla2[olivares@localhost .mozilla2]$ cd ..

]0;olivares@localhost:~[olivares@localhost ~]$ ls

[00m[00;32malarm[00m             [00mgdmversion.txt[00m             
[00;34mPictures[00m

[00malarm~[00m            [00mgnome-mount-bugreport2.txt[00m 
[00;34mPublic[00m

[00;32malarm2[00m            [00mgnome-mount-bugreport.txt[00m  
[00mselinux_alert-20071111-1.txt[00m

[00maltahif[00m           [00;34mlib[00m                        
[00mselinux_alert-20071111-2.txt[00m

[00;34mbin[00m               [00mlivecd-fedora.pdf[00m          
[00mselinux_alert-20071111-3.txt[00m

[00mbugbuddy1.txt[00m     [00mmaxout.gnuplot[00m              [00;34mshare[00m

[00mbugbuddy1.txt~[00m    [00mmaxout.gnuplot_pipes[00m       
[00;34mSoccer[00m

[00mcannotstartx.txt[00m  [00mmbox[00m                       
[00;34mTemplates[00m

[00;34mDesktop[00m           [00;34mMusic[00m                      
[00mtestgdm1.txt[00m

[00;34mDocuments[00m         [00mnautilus-debug-log.txt[00m     
[00;34mtmp[00m

[00;34mDownloads[00m         [00mnokde-1.txt[00m                
[00;34mVideos[00m

[m]0;olivares@localhost:~[olivares@localhost ~]$ exit

exit


Script done on Mon 11 Feb 2008 04:07:49 PM CST


top - 16:13:25 up  1:39,  2 users,  load average: 1.07, 0.71, 0.37
Tasks: 126 total,   2 running, 124 sleeping,   0 stopped,   0 zombie
Cpu(s): 93.1%us,  6.2%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.7%si,  0.0%st
Mem:    767516k total,   690100k used,    77416k free,    20912k buffers
Swap:  3114416k total,        0k used,  3114416k free,   348420k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
 3167 olivares  20   0  184m  68m  25m R 85.0  9.1   1:03.99 firefox            
 2368 root      20   0  188m  25m 9408 S  6.3  3.4   3:28.46 Xorg               
 3199 olivares  20   0 46452  16m  10m S  2.6  2.2   0:00.37 gnome-terminal     
 2703 olivares  20   0 19372 2780 1940 S  1.3  0.4   0:04.48 gnome-screensav    
 2684 olivares  20   0 14840 4560 3756 S  1.0  0.6   0:22.47 at-spi-registry    
 2724 olivares  20   0 25228  12m 8608 S  1.0  1.6   0:58.77 gkrellm            
 3238 olivares  20   0  2384 1044  820 R  0.7  0.1   0:00.13 top                
  488 root      15  -5     0    0    0 S  0.3  0.0   0:01.22 scsi_eh_1          
 2719 olivares  20   0 25416  13m 9160 S  0.3  1.8   0:04.07 metacity           
 2770 olivares  20   0 68668  30m  16m S  0.3  4.0   0:03.10 /usr/bin/sealer    
 3192 olivares  20   0 55908  20m  13m S  0.3  2.7   0:04.47 gedit              
    1 root      20   0  2224  664  576 S  0.0  0.1   0:02.34 init               
    2 root      15  -5     0    0    0 S  0.0  0.0   0:00.00 kthreadd           
    3 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 migration/0        
    4 root      15  -5     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0        
    5 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0         
    6 root      15  -5     0    0    0 S  0.0  0.0   0:00.06 events/0           

top - 16:13:25 up  1:39,  2 users,  load average: 1.07, 0.71, 0.37
Tasks: 126 total,   2 running, 124 sleeping,   0 stopped,   0 zombie
Cpu(s): 93.1%us,  6.2%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.7%si,  0.0%st
Mem:    767516k total,   690100k used,    77416k free,    20912k buffers
Swap:  3114416k total,        0k used,  3114416k free,   348420k cached

  
Summary:

SELinux is preventing firefox from making the program stack executable.

Detailed Description:

The firefox application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If firefox does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b4pre/firefox'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b4pre/firefox'"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0b4pre/firefox'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.0b3pre/firefox
Port                          <Unknown>
Host                          localhost
Source RPM Packages           firefox-3.0-0.beta2.18.nightly20080210.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.7-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     localhost
Platform                      Linux localhost 2.6.24.1-28.fc9 #1 SMP Sun Feb 10
                              17:27:37 EST 2008 i686 athlon
Alert Count                   29
First Seen                    Fri 01 Feb 2008 05:08:54 PM CST
Last Seen                     Mon 11 Feb 2008 04:10:35 PM CST
Local ID                      c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1202767835.617:27): avc:  denied  { execstack
} for  pid=3167 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=localhost type=SYSCALL msg=audit(1202767835.617:27): arch=40000003
syscall=125 success=no exit=-13 a0=bf828000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=3153 pid=3167 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
exe="/usr/lib/firefox-3.0b4pre/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


BTW, 

this selinux stack exec in firefox, is joined now by the one in seamonkey :(

Comment 4 Bug Zapper 2008-05-14 01:06:56 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Matěj Cepl 2008-12-23 12:01:10 EST
Reporter, are you able to reproduce this issue with the latest package from your distribution?
Comment 6 Antonio A. Olivares 2008-12-23 12:11:56 EST
Well apparently the package of firefox has been replaced by minefield again, with firefox 3.1 or 3.2b1 or something like that.  I have not seen this problem for a while now, so I can't complain.

Note You need to log in before you can comment on or make changes to this bug.