Bug 522801 - setroubleshoot: SELinux is preventing /usr/lib/firefox-3.5.2/firefox (deleted) from changing a writable memory segment executable.
Summary: setroubleshoot: SELinux is preventing /usr/lib/firefox-3.5.2/firefox (de...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8b4e6fa7e59...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-11 14:19 UTC by isada
Modified: 2009-10-20 21:03 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-20 21:03:19 UTC


Attachments (Terms of Use)

Description isada 2009-09-11 14:19:03 UTC
The following was filed automatically by setroubleshoot:

Zusammenfassung:

SELinux is preventing /usr/lib/firefox-3.5.2/firefox (deleted) from changing a
writable memory segment executable.

Detaillierte Beschreibung:

[firefox has a permissive type (unconfined_t). This access was not denied.]

The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

Zugriff erlauben:

If you trust firefox to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t
'/usr/lib/firefox-3.5.2/firefox (deleted)'". You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t execmem_exec_t '/usr/lib/firefox-3.5.2/firefox
(deleted)'"

Fixer Befehl:

chcon -t execmem_exec_t '/usr/lib/firefox-3.5.2/firefox (deleted)'

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Zielkontext                   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Zielobjekte                   None [ process ]
Quelle                        firefox
Quellen-Pfad                  /usr/lib/firefox-3.5.2/firefox
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.31-2.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   allow_execmem
Hostname                      (removed)
Plattform                     Linux (removed) 2.6.31-2.fc12.i686 #1 SMP Thu Sep 10
                              00:41:03 EDT 2009 i686 i686
Anzahl der Alarme             3
Zuerst gesehen                Fr 11 Sep 2009 11:31:50 CEST
Zuletzt gesehen               Fr 11 Sep 2009 16:17:17 CEST
Lokale ID                     43dc4fb9-4648-40c9-88ed-d349857e4e1b
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1252678637.197:80): avc:  denied  { execmem } for  pid=2798 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1252678637.197:80): arch=40000003 syscall=125 success=yes exit=0 a0=3d1f000 a1=1000 a2=7 a3=b7b7b000 items=0 ppid=2783 pid=2798 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe=2F7573722F6C69622F66697265666F782D332E352E322F66697265666F78202864656C6574656429 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

Comment 1 Daniel Walsh 2009-09-11 14:34:55 UTC
Are you running flash or some plugin that is causing firefox to need execmem?


What is the label on firefox

ls -lZ /usr/lib/firefox-3.5.2/firefox

You can you install nspluginwrapper, and turn on allow_unconfined_nsplugin_transition boolean.

Comment 2 Daniel Walsh 2009-09-11 14:38:22 UTC
Actually if you turn off the allow_unconfined_nsplugin_transition boolean.  

This should work for you.

setsebool -P allow_unconfined_nsplugin_transition 0

Comment 3 isada 2009-09-11 17:46:28 UTC
Yes, I was running Firefox with Adobe flash.

bash-4.0$ ls -lZ /usr/lib/firefox-3.5.2/firefox
-rwxr-xr-x. root root system_u:object_r:mozilla_exec_t:s0 /usr/lib/firefox-3.5.2/firefox

SElinux dont start after your solution.

Comment 4 Daniel Walsh 2009-09-11 18:27:05 UTC
I don't know what you mean 

SELinux dont start after your solution

The machine does not boot?  Firefox will not start?  Which solution did you do?

Comment 5 isada 2009-09-13 22:22:58 UTC
I did

setsebool -P allow_unconfined_nsplugin_transition 0

And then no more "SElinux Security Alert" starts after run firefox.


Note You need to log in before you can comment on or make changes to this bug.