Bug 510950 - SELinux is preventing thunderbird-bin from changing a writable memory segment executable.
SELinux is preventing thunderbird-bin from changing a writable memory segment...
Status: CLOSED DUPLICATE of bug 512845
Product: Fedora
Classification: Fedora
Component: thunderbird (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks: F12Blocker/F12FinalBlocker
  Show dependency treegraph
 
Reported: 2009-07-12 15:22 EDT by Edwin ten Brink
Modified: 2009-09-28 14:42 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-28 14:42:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Edwin ten Brink 2009-07-12 15:22:24 EDT
Summary:

SELinux is preventing thunderbird-bin from changing a writable memory segment
executable.

Detailed Description:

The thunderbird-bin application attempted to change the access protection of
memory (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If thunderbird-bin does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust thunderbird-bin to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t
'/usr/lib/thunderbird-3.0b2/thunderbird-bin'". You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/lib/thunderbird-3.0b2/thunderbird-bin'"

Fix Command:

chcon -t execmem_exec_t '/usr/lib/thunderbird-3.0b2/thunderbird-bin'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                None [ process ]
Source                        thunderbird-bin
Source Path                   /usr/lib/thunderbird-3.0b2/thunderbird-bin
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           thunderbird-3.0-2.3.beta2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-53.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmem
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.29.5-191.fc11.i586
                              #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686
Alert Count                   8
First Seen                    Sun 12 Jul 2009 08:49:33 PM CEST
Last Seen                     Sun 12 Jul 2009 08:49:51 PM CEST
Local ID                      5a6c7ebf-2a91-4450-bc06-11183ac4a95d
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1247424591.357:31388): avc:  denied  { execmem } for  pid=2337 comm="thunderbird-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1247424591.357:31388): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 ppid=2333 pid=2337 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="thunderbird-bin" exe="/usr/lib/thunderbird-3.0b2/thunderbird-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-07-14 10:47:36 EDT
Did you install some extension or plugin that might be causing thunderbird to need this access?
Comment 2 Edwin ten Brink 2009-07-14 15:02:32 EDT
The AVC denial came as soon as I upgraded from Fedora 10 to Fedora 11 via preupgrade. No new add-ons have been installed AFAIK.

The AVC denial comes (always times 4) as soon as I start Thunderbird and before the window is visualized, but does not seem to be occurring during normal use.

To be on the safe side, this is what I have installed on Thunderbird:
Dictionaries: German, Dutch
Themes: Default
Languages: A bunch that comes by default with Fedora
Plugins (which were actually installed for Firefox): Gecko Media Player 0.9.6, IcedTea Java Web Browser 1.5, Shockwave Flash 10.0 r22.
Comment 3 Daniel Walsh 2009-07-14 16:05:13 EDT
I would figure this is flash or java causing the problem.  You can mark thunderbird as execmem_exec_t as the tool suggest.
Comment 4 Daniel Walsh 2009-07-15 09:18:18 EDT
Cpardy is reporting seeing this on gnome-help browser also.  So I think this might be in a gnome library?
Comment 5 Matthias Clasen 2009-09-26 00:07:48 EDT
the commonality between yelp and thunderbird is that they both use xulrunner.
Comment 6 Christopher Aillon 2009-09-28 14:42:59 EDT

*** This bug has been marked as a duplicate of bug 512845 ***

Note You need to log in before you can comment on or make changes to this bug.