Bug 524383 - setroubleshoot: SELinux is preventing firefox from making its memory writable and executable.
Summary: setroubleshoot: SELinux is preventing firefox from making its memory wri...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: xulrunner
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Gecko Maintainer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:bab1b000bd6...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-19 17:10 UTC by Bruno Wolff III
Modified: 2009-10-07 17:31 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-07 17:31:52 UTC


Attachments (Terms of Use)

Description Bruno Wolff III 2009-09-19 17:10:42 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing firefox from making its memory writable and executable.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem. Firefox is
probably not the problem here ,but one of its plugins. You could remove the
plugin and the app would no longer require the access. If you figure out which
plugin is causing the access request, please open a bug report on the plugin.

Allowing Access:

There are two ways to fix this problem, you can install the nsspluginwrapper
package, which will cause firefox to run its plugins under a separate process.
This process will allow the execmem access. This is the safest choice. You could
also turn off the allow_unconfined_nsplugin_transition boolean.
setsebool -P allow_unconfined_nsplugin_transition=0

Fix Command:

yum install nspluginwrapper

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.5.3/firefox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           firefox-3.5.3-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-6.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   firefox
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-23.fc12.i686.PAE #1
                              SMP Wed Sep 16 15:53:47 EDT 2009 i686 i686
Alert Count                   22
First Seen                    Sat 19 Sep 2009 11:46:48 AM CDT
Last Seen                     Sat 19 Sep 2009 11:58:57 AM CDT
Local ID                      44d5b4ae-7210-4b62-9708-cd76ecf4c5a7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1253379537.764:54): avc:  denied  { execmem } for  pid=2304 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1253379537.764:54): arch=40000003 syscall=192 success=yes exit=3002368 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=2292 pid=2304 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.3/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

Comment 1 Daniel Walsh 2009-09-20 11:34:05 UTC
I am assuming you are running firefox with flashplugin.  Do you have nspluginwrapper installed?

You can execute 

# setsebool -P allow_unconfined_qemu_transition 0

Then restart firefox, and it will run with this priv.

Comment 2 Bruno Wolff III 2009-09-20 14:01:57 UTC
I don't think that's it.
I don't have either gnash or swfdec installed and I don't have any plugins that aren't in fedora, fusion or livna installed.
I do have some language plugins installed, that I believe all come from Fedora.
I do not have nspluginwrapper either.
It sounds more like firefox is doing something wrong than that it should be allowed to do this. In enforcing mode firefox actually crashes, but I didn't notice any diagnostic information be left behind other than the sealearts.
I don't use firefox on that machine much, but I am fairly sure it worked for a while after the machine had the f12 rawhide install done on it.

Comment 3 Haluk Dogan 2009-09-20 14:08:25 UTC
As Daniel Walsh said after running "setsebool -P allow_execmem 1", firefox is working now

Comment 4 Daniel Walsh 2009-09-20 14:31:51 UTC
Haluk, while that allows firefox to run, it does not fix the root problem.  Firefox/Xulrunner should not require this access.

Usually these problems have been in xulrunner.

Comment 5 Bruno Wolff III 2009-10-07 17:31:52 UTC
I don't seem to be seeing this behavior any more, though I am not sure why not.
I don't see a newer xulrunner/firefox since the problem was reported.
But I am going to close this anyway. If I see the problem reappear I'll reopen it.


Note You need to log in before you can comment on or make changes to this bug.