Bug 533987 - SELinux is preventing /usr/lib/thunderbird-3.0b4/thunderbird-bin from making the program stack executable.
SELinux is preventing /usr/lib/thunderbird-3.0b4/thunderbird-bin from making ...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:45853538f25...
:
: 530816 532239 533454 533535 533715 536688 536964 537636 537675 537699 537790 538141 538413 538545 538659 538764 539226 539333 539359 539398 539409 539425 539531 539713 539799 539813 539867 539969 539974 540021 540073 540195 540332 540993 541036 541178 541329 541384 541484 541489 541493 541629 541647 541665 541674 541681 541746 541837 541922 542252 542336 542360 542421 542483 542499 542515 542719 542772 542960 543051 543086 543145 543493 543804 543891 543939 544453 544694 545617 545844 545894 546162 546349 546383 546689 546776 547325 548159 548506 549440 550380 550509 550718 551361 553468 553504 558118 558153 560677 583294 583369 584404 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-09 18:43 EST by jamesmccullough
Modified: 2010-11-15 17:31 EST (History)
91 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-10 08:07:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description jamesmccullough 2009-11-09 18:43:25 EST
Summary:

SELinux is preventing /usr/lib/thunderbird-3.0b4/thunderbird-bin from making the
program stack executable.

Detailed Description:

The thunderbird-bin application attempted to make its stack executable. This is
a potential security problem. This should never ever be necessary. Stack memory
is not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If thunderbird-bin does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
thunderbird-bin to run correctly, you can change the context of the executable
to execmem_exec_t. "chcon -t execmem_exec_t
'/usr/lib/thunderbird-3.0b4/thunderbird-bin'" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/lib/thunderbird-3.0b4/thunderbird-bin'"

Fix Command:

chcon -t execmem_exec_t '/usr/lib/thunderbird-3.0b4/thunderbird-bin'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        thunderbird-bin
Source Path                   /usr/lib/thunderbird-3.0b4/thunderbird-bin
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           thunderbird-3.0-3.9.b4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP
                              Sat Nov 7 21:41:45 EST 2009 i686 i686
Alert Count                   20
First Seen                    Mon 09 Nov 2009 05:56:36 PM EST
Last Seen                     Mon 09 Nov 2009 06:37:50 PM EST
Local ID                      beb39629-4b26-44bf-9acb-aadde9042ffb
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1257809870.922:74): avc:  denied  { execstack } for  pid=10204 comm="thunderbird-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1257809870.922:74): arch=40000003 syscall=125 success=no exit=-13 a0=bfe79000 a1=1000 a2=1000007 a3=bfe78120 items=0 ppid=10200 pid=10204 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="thunderbird-bin" exe="/usr/lib/thunderbird-3.0b4/thunderbird-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,allow_execstack,thunderbird-bin,unconfined_t,unconfined_t,process,execstack
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execstack;
Comment 1 Daniel Walsh 2009-11-10 08:07:58 EST
Do you have some closed source drivers or shared libraries installed?  nvidia drivers?  rpmfusion codecs?  These are built incorrectly and require a dangerous priv execstack.  

This link 

http://people.redhat.com/~drepper/selinux-mem.html

explains the access.

You can use the command execstack -q to try to find the libraries with the execstack flag on, I use a command like

find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X

Then try to turn off the flag of any libraries that require execstack

execstack -c

And see if the apps work.  

If you can not find the problem library or the libraray does not work without the execstack flag turned on, your only option is to tell SELinux to stop checking for execstack by setting the boolean allow_execstack.

setsebool -P allow_execstack 1
Comment 2 Daniel Walsh 2009-11-10 08:49:38 EST
*** Bug 533454 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2009-11-10 08:50:23 EST
*** Bug 533715 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2009-11-11 09:45:57 EST
*** Bug 536688 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2009-11-12 17:26:44 EST
*** Bug 533486 has been marked as a duplicate of this bug. ***
Comment 6 Erik P. Olsen 2009-11-14 01:22:58 EST
OK. I've isolated the problem on my setup to be Sun's java: jre-1.6.0_17-fsc
Comment 7 Miroslav Grepl 2009-11-16 03:29:50 EST
*** Bug 537636 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2009-11-16 07:31:23 EST
*** Bug 537790 has been marked as a duplicate of this bug. ***
Comment 9 Daniel Walsh 2009-11-16 09:45:20 EST
Eric, can you describe what you figured out?  Is thunderbird running java directly?
Comment 10 Erik P. Olsen 2009-11-16 10:07:56 EST
Actually, it's not thunderbird, it's firefox. I refer to bug 533486 which has been declared duplicate of this bug. When I remove Sun's java from the plugins directory I don't get hit by the bug. And when I disable SELinux I can run normally with firefox and the java plugin from Sun.
Comment 11 Daniel Walsh 2009-11-16 10:54:38 EST
*** Bug 537699 has been marked as a duplicate of this bug. ***
Comment 12 cje 2009-11-16 16:20:38 EST
rpmfusion has a bug (90) for this problem as it affects the proprietary nvidia drivers.  i've asked about a) talking to nvidia about it and b) creating a policy for it.

does anyone know if a similar request has been raised with sun regarding their java package?

also, when i ran that execstack command line i got lots of errors i had trouble filtering out, which made it tricky to see what was going on.  this probably isn't the best solution but i ended up with this:
find /usr/lib* -name \*.so\* | while read line; do execstack -q $line 2>/dev/null | grep ^X; done

which showed up /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server/libjvm.so - from java-1.6.0-openjdk-1.6.0.0-33.b16.fc12.x86_64 as also needing execstack.  not sure if we should be worried about that.
Comment 13 Daniel Walsh 2009-11-16 16:23:12 EST
If you clear the flag using execstack -c, does it work?
Comment 14 Daniel Walsh 2009-11-17 16:13:00 EST
*** Bug 538141 has been marked as a duplicate of this bug. ***
Comment 15 Daniel Walsh 2009-11-18 09:39:52 EST
*** Bug 538413 has been marked as a duplicate of this bug. ***
Comment 16 Daniel Walsh 2009-11-19 10:03:33 EST
*** Bug 538764 has been marked as a duplicate of this bug. ***
Comment 17 Miroslav Grepl 2009-11-20 04:22:11 EST
*** Bug 539333 has been marked as a duplicate of this bug. ***
Comment 18 Miroslav Grepl 2009-11-20 04:28:46 EST
*** Bug 539398 has been marked as a duplicate of this bug. ***
Comment 19 Daniel Walsh 2009-11-20 07:49:58 EST
*** Bug 539359 has been marked as a duplicate of this bug. ***
Comment 20 Daniel Walsh 2009-11-20 07:52:37 EST
*** Bug 539409 has been marked as a duplicate of this bug. ***
Comment 21 Daniel Walsh 2009-11-20 08:04:26 EST
*** Bug 539425 has been marked as a duplicate of this bug. ***
Comment 22 Daniel Walsh 2009-11-20 10:17:53 EST
*** Bug 539531 has been marked as a duplicate of this bug. ***
Comment 23 Daniel Walsh 2009-11-20 16:36:30 EST
*** Bug 539713 has been marked as a duplicate of this bug. ***
Comment 24 Miroslav Grepl 2009-11-23 02:52:40 EST
*** Bug 539867 has been marked as a duplicate of this bug. ***
Comment 25 James Heather 2009-11-23 03:17:26 EST
> which showed up
> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server/libjvm.so -
> from java-1.6.0-openjdk-1.6.0.0-33.b16.fc12.x86_64 as also needing execstack. 
> not sure if we should be worried about that.  

Sounds like it. I can confirm that I get the same. On my system, with no nvidia, this is the only execstack file. (On a similar system, but with nvidia drivers, only this file and the nvidia libs need execstack.)

Not sure this is CANTFIX--should this be either reopened, or reclassified as an openjdk bug?

What on earth is that file (and the rest of them) doing in /usr/lib rather than /usr/lib64, by the way?

James
Comment 26 Miroslav Grepl 2009-11-23 03:26:06 EST
*** Bug 539799 has been marked as a duplicate of this bug. ***
Comment 27 Miroslav Grepl 2009-11-23 06:07:26 EST
*** Bug 539974 has been marked as a duplicate of this bug. ***
Comment 28 Miroslav Grepl 2009-11-23 06:09:43 EST
*** Bug 540332 has been marked as a duplicate of this bug. ***
Comment 29 Miroslav Grepl 2009-11-23 06:31:16 EST
*** Bug 540195 has been marked as a duplicate of this bug. ***
Comment 30 Miroslav Grepl 2009-11-23 06:34:34 EST
*** Bug 539969 has been marked as a duplicate of this bug. ***
Comment 31 Daniel Walsh 2009-11-23 08:48:03 EST
*** Bug 539813 has been marked as a duplicate of this bug. ***
Comment 32 Daniel Walsh 2009-11-23 10:19:17 EST
*** Bug 540021 has been marked as a duplicate of this bug. ***
Comment 33 Daniel Walsh 2009-11-23 10:47:07 EST
*** Bug 540073 has been marked as a duplicate of this bug. ***
Comment 34 Daniel Walsh 2009-11-24 11:45:27 EST
*** Bug 540993 has been marked as a duplicate of this bug. ***
Comment 35 Daniel Walsh 2009-11-24 15:05:58 EST
*** Bug 541036 has been marked as a duplicate of this bug. ***
Comment 36 Daniel Walsh 2009-11-25 06:46:06 EST
*** Bug 541178 has been marked as a duplicate of this bug. ***
Comment 37 Daniel Walsh 2009-11-25 10:19:18 EST
*** Bug 541329 has been marked as a duplicate of this bug. ***
Comment 38 Daniel Walsh 2009-11-25 14:05:40 EST
*** Bug 541384 has been marked as a duplicate of this bug. ***
Comment 39 Miroslav Grepl 2009-11-26 04:14:35 EST
*** Bug 541489 has been marked as a duplicate of this bug. ***
Comment 40 Miroslav Grepl 2009-11-26 04:23:42 EST
*** Bug 541493 has been marked as a duplicate of this bug. ***
Comment 41 Miroslav Grepl 2009-11-26 04:28:30 EST
*** Bug 541484 has been marked as a duplicate of this bug. ***
Comment 42 Miroslav Grepl 2009-11-27 03:43:57 EST
*** Bug 541647 has been marked as a duplicate of this bug. ***
Comment 43 Miroslav Grepl 2009-11-27 03:46:14 EST
*** Bug 541665 has been marked as a duplicate of this bug. ***
Comment 44 Miroslav Grepl 2009-11-27 03:49:03 EST
*** Bug 541746 has been marked as a duplicate of this bug. ***
Comment 45 Miroslav Grepl 2009-11-27 03:55:55 EST
*** Bug 541681 has been marked as a duplicate of this bug. ***
Comment 46 Daniel Walsh 2009-11-29 14:49:31 EST
*** Bug 542421 has been marked as a duplicate of this bug. ***
Comment 47 Miroslav Grepl 2009-11-30 07:07:38 EST
*** Bug 542515 has been marked as a duplicate of this bug. ***
Comment 48 Miroslav Grepl 2009-11-30 07:09:17 EST
*** Bug 542336 has been marked as a duplicate of this bug. ***
Comment 49 Miroslav Grepl 2009-11-30 07:10:06 EST
*** Bug 542483 has been marked as a duplicate of this bug. ***
Comment 50 Daniel Walsh 2009-11-30 10:44:17 EST
*** Bug 541629 has been marked as a duplicate of this bug. ***
Comment 51 James Heather 2009-11-30 10:53:43 EST
We've now had this bug reported 44 times!

Does that make a case for a tweak to abrt to give it better duplicate detection logic? I've noticed it often finds for itself that a bug report is a duplicate, but there's clearly room for improvement.

Might be worth it even on an ad hoc basis, e.g., add a rule that anything with the title '(allow_execstack) SELinux is preventing /usr/lib/thunderbird-3.0b4/thunderbird-bin from making the program stack executable' is a duplicate of this.

DW and MG must be losing the will to live just flagging duplicates.
Comment 52 Daniel Walsh 2009-11-30 11:24:54 EST
*** Bug 541674 has been marked as a duplicate of this bug. ***
Comment 53 Daniel Walsh 2009-11-30 13:24:53 EST
*** Bug 541837 has been marked as a duplicate of this bug. ***
Comment 54 Daniel Walsh 2009-11-30 14:04:11 EST
*** Bug 542772 has been marked as a duplicate of this bug. ***
Comment 55 Daniel Walsh 2009-11-30 14:17:33 EST
*** Bug 542719 has been marked as a duplicate of this bug. ***
Comment 56 Daniel Walsh 2009-11-30 16:09:16 EST
*** Bug 542252 has been marked as a duplicate of this bug. ***
Comment 57 Daniel Walsh 2009-11-30 16:51:16 EST
*** Bug 542360 has been marked as a duplicate of this bug. ***
Comment 58 Daniel Walsh 2009-11-30 17:10:35 EST
*** Bug 542499 has been marked as a duplicate of this bug. ***
Comment 59 Daniel Walsh 2009-11-30 17:35:28 EST
*** Bug 541922 has been marked as a duplicate of this bug. ***
Comment 60 Daniel Walsh 2009-12-01 07:43:43 EST
*** Bug 542960 has been marked as a duplicate of this bug. ***
Comment 61 Daniel Walsh 2009-12-01 10:21:26 EST
*** Bug 538659 has been marked as a duplicate of this bug. ***
Comment 62 Daniel Walsh 2009-12-01 12:08:21 EST
*** Bug 543086 has been marked as a duplicate of this bug. ***
Comment 63 Daniel Walsh 2009-12-01 14:53:48 EST
*** Bug 543145 has been marked as a duplicate of this bug. ***
Comment 64 Daniel Walsh 2009-12-02 14:23:59 EST
*** Bug 543493 has been marked as a duplicate of this bug. ***
Comment 65 Miroslav Grepl 2009-12-03 05:19:14 EST
*** Bug 543804 has been marked as a duplicate of this bug. ***
Comment 66 Daniel Walsh 2009-12-03 10:11:08 EST
*** Bug 543891 has been marked as a duplicate of this bug. ***
Comment 67 Daniel Walsh 2009-12-03 10:28:02 EST
*** Bug 543939 has been marked as a duplicate of this bug. ***
Comment 68 Suraj Prasad 2009-12-03 15:40:18 EST
I am confused.. running the command for execstack -q in the following form

find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X

 as stated above tells me that no such file exists.

then I navigate to the folder and there exactly is no folder by that name i.e. 'lib64'
now what is this.. I have allowed execstack by setting the boolean value.. but I am afraid the same bug will come up again.
Comment 69 Daniel Walsh 2009-12-03 16:58:26 EST
You also should look in /lib64

Suraj are you using xguest?
Comment 70 Daniel Walsh 2009-12-05 07:14:28 EST
*** Bug 544453 has been marked as a duplicate of this bug. ***
Comment 71 Miroslav Grepl 2009-12-07 05:33:22 EST
*** Bug 544694 has been marked as a duplicate of this bug. ***
Comment 72 Daniel Walsh 2009-12-09 09:19:17 EST
*** Bug 545617 has been marked as a duplicate of this bug. ***
Comment 73 Daniel Walsh 2009-12-09 10:24:20 EST
*** Bug 545844 has been marked as a duplicate of this bug. ***
Comment 74 Daniel Walsh 2009-12-09 11:39:02 EST
*** Bug 545894 has been marked as a duplicate of this bug. ***
Comment 75 Daniel Walsh 2009-12-10 10:44:01 EST
*** Bug 546162 has been marked as a duplicate of this bug. ***
Comment 76 Daniel Walsh 2009-12-10 13:00:33 EST
*** Bug 546349 has been marked as a duplicate of this bug. ***
Comment 77 Daniel Walsh 2009-12-10 14:12:17 EST
*** Bug 546383 has been marked as a duplicate of this bug. ***
Comment 78 Daniel Walsh 2009-12-11 16:21:08 EST
*** Bug 546689 has been marked as a duplicate of this bug. ***
Comment 79 Daniel Walsh 2009-12-12 07:14:21 EST
*** Bug 546776 has been marked as a duplicate of this bug. ***
Comment 80 Daniel Walsh 2009-12-14 07:51:29 EST
*** Bug 547325 has been marked as a duplicate of this bug. ***
Comment 81 Daniel Walsh 2009-12-16 14:49:45 EST
*** Bug 548159 has been marked as a duplicate of this bug. ***
Comment 82 Daniel Walsh 2009-12-17 11:53:43 EST
*** Bug 548506 has been marked as a duplicate of this bug. ***
Comment 83 Daniel Walsh 2009-12-21 13:21:02 EST
*** Bug 549440 has been marked as a duplicate of this bug. ***
Comment 84 Daniel Walsh 2009-12-23 09:21:38 EST
*** Bug 533535 has been marked as a duplicate of this bug. ***
Comment 85 Daniel Walsh 2009-12-23 11:23:42 EST
*** Bug 532239 has been marked as a duplicate of this bug. ***
Comment 86 Daniel Walsh 2009-12-23 11:33:49 EST
*** Bug 530816 has been marked as a duplicate of this bug. ***
Comment 87 Daniel Walsh 2009-12-23 11:54:36 EST
*** Bug 536964 has been marked as a duplicate of this bug. ***
Comment 88 Daniel Walsh 2009-12-23 11:57:56 EST
*** Bug 537675 has been marked as a duplicate of this bug. ***
Comment 89 Daniel Walsh 2009-12-23 11:59:20 EST
*** Bug 538545 has been marked as a duplicate of this bug. ***
Comment 90 Daniel Walsh 2009-12-23 12:14:40 EST
*** Bug 539226 has been marked as a duplicate of this bug. ***
Comment 91 Daniel Walsh 2009-12-23 12:27:02 EST
*** Bug 543051 has been marked as a duplicate of this bug. ***
Comment 92 Miroslav Grepl 2009-12-25 05:48:27 EST
*** Bug 550380 has been marked as a duplicate of this bug. ***
Comment 93 Daniel Walsh 2009-12-29 09:03:47 EST
*** Bug 550509 has been marked as a duplicate of this bug. ***
Comment 94 Daniel Walsh 2009-12-29 19:44:30 EST
*** Bug 550718 has been marked as a duplicate of this bug. ***
Comment 95 Miroslav Grepl 2009-12-30 06:07:49 EST
*** Bug 551361 has been marked as a duplicate of this bug. ***
Comment 96 Miroslav Grepl 2010-01-08 05:16:13 EST
*** Bug 553504 has been marked as a duplicate of this bug. ***
Comment 97 Daniel Walsh 2010-01-08 09:37:46 EST
*** Bug 553468 has been marked as a duplicate of this bug. ***
Comment 98 Daniel Walsh 2010-01-25 12:26:45 EST
*** Bug 558118 has been marked as a duplicate of this bug. ***
Comment 99 Daniel Walsh 2010-01-25 12:36:37 EST
*** Bug 558153 has been marked as a duplicate of this bug. ***
Comment 100 Miroslav Grepl 2010-02-01 11:50:55 EST
*** Bug 560677 has been marked as a duplicate of this bug. ***
Comment 101 Daniel Walsh 2010-04-18 22:01:25 EDT
*** Bug 583294 has been marked as a duplicate of this bug. ***
Comment 102 Daniel Walsh 2010-04-18 22:14:15 EDT
*** Bug 583369 has been marked as a duplicate of this bug. ***
Comment 103 Daniel Walsh 2010-04-21 10:29:08 EDT
*** Bug 584404 has been marked as a duplicate of this bug. ***
Comment 104 Jeff Raber 2010-09-20 00:25:23 EDT
(In reply to comment #1)
> This link 
> 
> http://people.redhat.com/~drepper/selinux-mem.html
> 
> explains the access.
> 
Dan, The link seems to be dead.  Do you have any other reading suggestions for people interested in learning about execstack issues?
Comment 105 Daniel Walsh 2010-09-22 12:11:48 EDT
http://www.akkadia.org/drepper/selinux-mem.html
Comment 106 Daniel Walsh 2010-11-11 16:35:59 EST
*** Bug 652297 has been marked as a duplicate of this bug. ***
Comment 107 Pete Gale 2010-11-15 17:31:08 EST
AdbeRdr9.4-1_i486linux_enu.rpm installed files that triggered this denial also:

/opt/Adobe/Reader9/Reader/intellinux/bin/acroread: error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied

The work-around above fixed the issue for me.

# pwd
/opt/Adobe/Reader9/Reader/intellinux/lib
# find . -name \*.so\* -exec execstack -q {} \; -print | grep ^X
X ./libcrypto.so.0
X ./libcrypto.so
X ./libcrypto.so.0.9.8
X ./libsccore.so
# execstack -c libcrypto.so* libsccore.so 
# find . -name \*.so\* -exec execstack -q {} \; -print | grep ^X
#

acroread would start up after making this change.

Note You need to log in before you can comment on or make changes to this bug.