The following was filed automatically by setroubleshoot: 概述: SELinux is preventing /usr/lib/firefox-3.5.3/firefox from changing a writable memory segment executable. 详细描述: [SELinux is in permissive mode. This access was not denied.] The firefox application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. 允许访问: If you trust firefox to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/lib/firefox-3.5.3/firefox'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/lib/firefox-3.5.3/firefox'" Fix 命令: chcon -t execmem_exec_t '/usr/lib/firefox-3.5.3/firefox' 附加信息: 源上下文 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 目标上下文 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 目标对象 None [ process ] 源 mutter 源路径 /usr/bin/mutter 端口 <未知> 主机 (removed) 源 RPM 软件包 firefox-3.5.3-1.fc12 目标 RPM 软件包 策略 RPM selinux-policy-3.6.32-1.fc12 启用 Selinux True 策略类型 targeted 启用 MLS True Enforcing 模式 Permissive 插件名称 allow_execmem 主机名 (removed) 平台 Linux (removed) 2.6.31-23.fc12.i686.PAE #1 SMP Wed Sep 16 15:53:47 EDT 2009 i686 i686 警报计数 4 第一个 2009年09月18日 星期五 13时55分23秒 最后一个 2009年09月18日 星期五 16时09分45秒 本地 ID 5a8b2da7-8bea-482e-82d0-782fe1f299c5 行号 原始核查信息 node=(removed) type=AVC msg=audit(1253261385.990:32): avc: denied { execmem } for pid=2027 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=(removed) type=SYSCALL msg=audit(1253261385.990:32): arch=40000003 syscall=125 success=yes exit=0 a0=4fbd000 a1=1000 a2=7 a3=b60e5000 items=0 ppid=2012 pid=2027 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.3/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) audit2allow suggests: #============= unconfined_t ============== allow unconfined_t self:process execmem;
Either install nspluginwrapper yum install nspluginwrapper or set the boolean allow_unconfined_nsplugin_transition off setsebool -P allow_unconfined_nsplugin_transition 0 Do you have any plugins installed (flashplugin?)
(In reply to comment #1) > Either install nspluginwrapper > > yum install nspluginwrapper > > or set the boolean > > allow_unconfined_nsplugin_transition off > > setsebool -P allow_unconfined_nsplugin_transition 0 > > Do you have any plugins installed (flashplugin?) Yes, I have installed flashplugin. When I tried to install nspluginwrapper, it seemed to have already been installed. And the selinux still reports the same problem even after I ran the command "setsebool -P allow_unconfined_nsplugin_transition 0".
Restart firefox. It is currently running in unconfined_t, when you restart it, it should be running as unconfined_execmem_t
(In reply to comment #3) > Restart firefox. > > It is currently running in unconfined_t, when you restart it, it should be > running as unconfined_execmem_t Thanks, maybe that works.