Bug 524173 - setroubleshoot: SELinux is preventing /usr/lib/firefox-3.5.3/firefox from changing a writable memory segment executable.
Summary: setroubleshoot: SELinux is preventing /usr/lib/firefox-3.5.3/firefox fro...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:899ae2289c1...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-18 08:16 UTC by Hongwen Qiu
Modified: 2009-10-28 02:18 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-18 12:02:51 UTC


Attachments (Terms of Use)

Description Hongwen Qiu 2009-09-18 08:16:06 UTC
The following was filed automatically by setroubleshoot:

概述:

SELinux is preventing /usr/lib/firefox-3.5.3/firefox from changing a writable
memory segment executable.

详细描述:

[SELinux is in permissive mode. This access was not denied.]

The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

允许访问:

If you trust firefox to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t
'/usr/lib/firefox-3.5.3/firefox'". You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t execmem_exec_t '/usr/lib/firefox-3.5.3/firefox'"

Fix 命令:

chcon -t execmem_exec_t '/usr/lib/firefox-3.5.3/firefox'

附加信息:

源上下文                  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
目标上下文               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
目标对象                  None [ process ]
源                           mutter
源路径                     /usr/bin/mutter
端口                        <未知>
主机                        (removed)
源 RPM 软件包             firefox-3.5.3-1.fc12
目标 RPM 软件包          
策略 RPM                    selinux-policy-3.6.32-1.fc12
启用 Selinux                True
策略类型                  targeted
启用 MLS                    True
Enforcing 模式              Permissive
插件名称                  allow_execmem
主机名                     (removed)
平台                        Linux (removed) 2.6.31-23.fc12.i686.PAE #1 SMP
                              Wed Sep 16 15:53:47 EDT 2009 i686 i686
警报计数                  4
第一个                     2009年09月18日 星期五 13时55分23秒
最后一个                  2009年09月18日 星期五 16时09分45秒
本地 ID                     5a8b2da7-8bea-482e-82d0-782fe1f299c5
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1253261385.990:32): avc:  denied  { execmem } for  pid=2027 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1253261385.990:32): arch=40000003 syscall=125 success=yes exit=0 a0=4fbd000 a1=1000 a2=7 a3=b60e5000 items=0 ppid=2012 pid=2027 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.3/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

Comment 1 Daniel Walsh 2009-09-18 12:02:51 UTC
Either install nspluginwrapper 

yum install nspluginwrapper

or set the boolean

allow_unconfined_nsplugin_transition off

setsebool -P allow_unconfined_nsplugin_transition 0

Do you have any plugins installed (flashplugin?)

Comment 2 Hongwen Qiu 2009-09-18 13:20:06 UTC
(In reply to comment #1)
> Either install nspluginwrapper 
> 
> yum install nspluginwrapper
> 
> or set the boolean
> 
> allow_unconfined_nsplugin_transition off
> 
> setsebool -P allow_unconfined_nsplugin_transition 0
> 
> Do you have any plugins installed (flashplugin?)  

Yes, I have installed flashplugin. When I tried to install nspluginwrapper, it seemed to have already been installed. And the selinux still reports the same problem even after I ran the command "setsebool -P allow_unconfined_nsplugin_transition 0".

Comment 3 Daniel Walsh 2009-09-18 13:32:02 UTC
Restart firefox.

It is currently running in unconfined_t, when you restart it, it should be running as unconfined_execmem_t

Comment 4 Hongwen Qiu 2009-09-18 13:45:38 UTC
(In reply to comment #3)
> Restart firefox.
> 
> It is currently running in unconfined_t, when you restart it, it should be
> running as unconfined_execmem_t  

Thanks, maybe that works.


Note You need to log in before you can comment on or make changes to this bug.