Bug 572791 - SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from making the program stack executable.
SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from making th...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:17bc8fb7a13...
: Reopened
: 597617 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-11 20:53 EST by Bruno Medeiros
Modified: 2012-10-10 02:38 EDT (History)
72 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-09 08:25:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
out of commands (14.90 KB, text/plain)
2010-03-12 18:42 EST, Bruno Medeiros
no flags Details
firefox AVCs with allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1 (4.81 KB, text/plain)
2010-08-26 12:02 EDT, Stefan Becker
no flags Details

  None (edit)
Description Bruno Medeiros 2010-03-11 20:53:23 EST
Sumário:

SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from making the
program stack executable.

Descrição detalhada:

[plugin-config tem um tipo permissivo (unconfined_t). Esse acesso não foi
negado.]

The plugin-config application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If plugin-config does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report.

Permitindo acesso:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
plugin-config to run correctly, you can change the context of the executable to
execmem_exec_t. "chcon -t execmem_exec_t
'/usr/lib64/nspluginwrapper/plugin-config'" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/lib64/nspluginwrapper/plugin-config'"

Comando de correção:

chcon -t execmem_exec_t '/usr/lib64/nspluginwrapper/plugin-config'

Informações adicionais:

Contexto de origem            unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexto de destino           unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Objetos de destino            None [ process ]
Origem                        plugin-config
Caminho da origem             /usr/lib64/nspluginwrapper/plugin-config
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         nspluginwrapper-1.3.0-11.fc13
Pacotes RPM de destino        
RPM da política              selinux-policy-3.7.10-3.fc13
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                allow_execstack
Nome da máquina              (removed)
Plataforma                    Linux familia-desktop
                              2.6.33-0.52.rc8.git6.fc13.x86_64 #1 SMP Tue Feb 23
                              04:52:05 UTC 2010 x86_64 x86_64
Contador de alertas           8
Visto pela primeira vez em    Qui 11 Mar 2010 20:24:43 BRT
Visto pela última vez em     Qui 11 Mar 2010 22:46:58 BRT
ID local                      360d0fc2-dcb2-4531-9fc2-34157def31be
Números de linha             

Mensagens de auditoria não p 

node=familia-desktop type=AVC msg=audit(1268358418.31:36724): avc:  denied  { execstack } for  pid=27695 comm="plugin-config" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=familia-desktop type=SYSCALL msg=audit(1268358418.31:36724): arch=c000003e syscall=10 success=yes exit=4294967424 a0=7fff99d61000 a1=1000 a2=1000007 a3=368c61aab9 items=0 ppid=27693 pid=27695 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="plugin-config" exe="/usr/lib64/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execstack,plugin-config,unconfined_t,unconfined_t,process,execstack
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;
Comment 1 Daniel Walsh 2010-03-12 08:38:42 EST
You are using a plugin that is potentially a problem.

You can turn on the allow_execstack boolean

setsebool -P allow_execstack 1

Which will turn off the checking for unconfined processes.

Or you can attempt to turn on 

setsebool -P allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1

Which will turn on the permission only for nsplugin.

Or you can remove the plugin that is causing the problem.
Comment 2 Bruno Medeiros 2010-03-12 10:19:29 EST
It's a Fedora 13 fresh install, no extra plugins installed.
Comment 3 Daniel Walsh 2010-03-12 12:02:30 EST
Are you using nvidia?
Comment 4 Bruno Medeiros 2010-03-12 12:43:19 EST
Yes, the onboard nvidia chip on Biostar MCP6PM2+ motherboard.
Nouveau driver.
Comment 5 Daniel Walsh 2010-03-12 13:19:59 EST
That might be the problem.
Comment 6 Daniel Walsh 2010-03-12 14:24:52 EST
Can you see if a library has the execstack flag

find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X
find /lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X
Comment 7 Bruno Medeiros 2010-03-12 18:42:58 EST
Created attachment 399784 [details]
out of commands

Nothing else but a lot of 

execstack: "........so" is not an ELF file
Comment 8 Ulrich Drepper 2010-03-14 07:14:51 EDT
(In reply to comment #7)
> Nothing else but a lot of 

Repeat it for /lib and /usr/lib as well.  This might be one of the 32-bit binaries.  Especially since the nspluinwrapper used might be the 32-bit version.
Comment 9 Bruno Medeiros 2010-03-22 21:25:27 EDT
Sorry for the late reply.. I was traveling last week.

No output for the 32bit directories...

[root@familia-desktop ~]# find /usr/lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X
[root@familia-desktop ~]# find /lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X
[root@familia-desktop ~]# 


Any more ideas?
Comment 10 Daniel Walsh 2010-07-29 13:04:19 EDT
Are you still seeing this problem.  I seem to have dropped the ball on this bug, in the flood of bugzillas.
Comment 11 Stefan Becker 2010-08-25 10:39:16 EDT
I just did a preupgrade from F13 to F14 Alpha and get the error from the Sun Java plugin, i.e. Java is not working in the firefox profile where I have enabled Java. This is my work laptop, so I "borrowed" the Sun Java packages from RHEL5 :-P

$ rpm -qa java-1.6.0-sun*
java-1.6.0-sun-devel-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-plugin-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-1.6.0.18-1jpp.2.el5.i586


I found bug #533486, but all of the checks from there turn up OK:

 - no library marked "execstack"

 - all Java binaries are marked java_exec_t:

$ ls -lZ /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/bin /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/jre/bin | fgrep -v java_exec_t
/usr/lib/jvm/java-1.6.0-sun-1.6.0.18/bin:
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       ControlPanel -> ./jcontrol

/usr/lib/jvm/java-1.6.0-sun-1.6.0.18/jre/bin:

 - Java plugin symlink setup (alternatives):

$ ls -Z /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so /usr/lib/mozilla/plugins/libjavaplugin.so /etc/alternatives/libjavaplugin.so /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so | sort
lrwxrwxrwx. root root system_u:object_r:nsplugin_rw_t:s0 /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so -> /usr/lib/mozilla/plugins/libjavaplugin.so
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0   /etc/alternatives/libjavaplugin.so -> /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so
lrwxrwxrwx. root root unconfined_u:object_r:lib_t:s0   /usr/lib/mozilla/plugins/libjavaplugin.so -> /etc/alternatives/libjavaplugin.so
-rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so

 - firefox process context:

$ ps -eZ | fgrep firefox
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9875 ? 00:01:14 firefox

Is there anything else you need? I'm going to try the nsplugin workarounds now...
Comment 12 Stefan Becker 2010-08-25 10:41:47 EDT
Forgot this bit of info:

# getsebool -a | fgrep nsplugin
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off
nsplugin_can_network --> on
Comment 13 Stefan Becker 2010-08-25 10:55:47 EDT
Only by enabling allow_execstack does the Java plugin work on my system.

firefox-3.6.7-1.fc13.i686
java-1.6.0-sun-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-devel-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-plugin-1.6.0.18-1jpp.2.el5.i586
kernel-2.6.35.2-9.fc14.i686
selinux-policy-3.8.8-14.fc14.noarch
selinux-policy-targeted-3.8.8-14.fc14.noarch

Linux localhost.localdomain 2.6.35.2-9.fc14.i686 #1 SMP Tue Aug 17 22:54:19 UTC 2010 i686 i686 i386 GNU/Linux
Comment 14 Daniel Walsh 2010-08-25 11:38:07 EDT
What AVC are you seeing?
Comment 15 Stefan Becker 2010-08-25 12:45:37 EDT
Back to original configuration:

# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off
nsplugin_can_network --> on

Starting firefox with the Java-enabled profile and a home page with a java app:

type=AVC msg=audit(1282754556.084:1145): avc:  denied  { execstack } for  pid=5883 comm="plugin-config" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754556.084:1145): arch=40000003 syscall=125 success=no exit=-13 a0=bff97000 a1=1000 a2=1000007 a3=bff8e750 items=0 ppid=5881 pid=5883 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754558.559:1146): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754558.559:1146): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3a40 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754558.573:1147): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754558.573:1147): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3a40 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.003:1148): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.003:1148): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.005:1149): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.005:1149): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.018:1150): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.018:1150): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3e50 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.019:1151): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.019:1151): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3e50 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.023:1152): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.023:1152): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.023:1153): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.023:1153): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 16 Daniel Walsh 2010-08-25 13:38:18 EDT
Strange that no one else is seeing this.  You could try

setsebool -P allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1
Comment 17 Stefan Becker 2010-08-25 16:32:40 EDT
I did:

# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off

# setsebool allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1
# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> on
nsplugin_can_network --> on

Java plugin still doesn't work.

To repeat, the following *does* work:

# setsebool allow_unconfined_nsplugin_transition=0 allow_execstack=1
# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> on
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off
nsplugin_can_network --> on
Comment 18 Daniel Walsh 2010-08-26 07:36:00 EDT
What AVC are you getting now?  You did restart firefox?
Comment 19 Stefan Becker 2010-08-26 12:02:43 EDT
Created attachment 441266 [details]
firefox AVCs with allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1

Repeat of first part from comment #17. After setsebool I start a new firefox process with the Java-enabled profile.

I have another firefox process with my default profile. That doesn't have Java enabled. That shouldn't affect the other firefox process?
Comment 20 Daniel Walsh 2010-08-26 15:23:55 EDT
So firefox is running jave from within its process rather then executing a helper app?


You could change the context of firefox to java_exec_t and run it that way.  This would allow you to have allow_execstack turned off for the rest of the session.

chcon -t java_exec_t PATHTO/firefox
Comment 21 Stefan Becker 2010-08-26 16:16:20 EDT
Yes,

  chcon -t java_exec_t /usr/lib/firefox-3.6/firefox

seems to work. But:

 - this wouldn't be a permanent solution, i.e. the next firefox update would reset it. What would be a solution for everybody?

 - the original type is "mozilla_exec_t", so don't I loose all those permissions? Or is "java_exec_t" a superset that is less restrictive than "mozilla_exec_t"?

 - If I understand the following correctly, nspluginwrapper does *specifically* exclude the Java plugin from wrapping, i.e. there is no "helper application":

# mozilla-plugin-config --list
EXCLUDE_WRAP:
...
libjavaplugin*
...
  Wrapper version string: X (1.3.0)
File/Link /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so
File/Link /usr/lib/mozilla/plugins-wrapped/libtotem-gmp-plugin.so
...

 - as the Sun Java RPMs are from RHEL Desktop Supplementary Packages and with the upcoming RHEL6 based on FC12(?): how will this problem solved for RHEL6? Would an update to the RHEL6 Sun Java RPMs fix it (I'm not sure they are included in the Betas already)?

 - Would sandbox be a solution? E.g. something like

     sandbox -t java_exec_t /usr/bin/firefox -P <profile>
Comment 22 Stefan Becker 2010-08-26 16:24:06 EDT
Sorry, sandbox is of course the wrong approach.

I tried runcon, but SELinux doesn't seem to allow that for non-root users:

  $ MOZ_NO_REMOTE=1 runcon system_u:object_r:java_exec_t:s0 /usr/bin/firefox -P Java
  runcon: /usr/bin/firefox: Permission denied
Comment 23 Daniel Walsh 2010-08-30 10:39:50 EDT
Looks like

https://bugzilla.redhat.com/show_bug.cgi?id=628031

Has the same problem.


I think the best solution for now is to turn the check off.

setsebool -P allow_execstack 0
Comment 24 Daniel Walsh 2010-08-30 10:40:20 EDT
Oops I meant.

setsebool -P allow_execstack 1
Comment 25 Stefan Becker 2010-08-30 12:13:14 EDT
OK, so I'm assuming this will not be put into the standard policy, as you closed bug #628031 as CANTFIX? I wonder how you want to solve this for RHEL6 where the java-sun packages are part of the delivery.

At minimum this should be documented on the Fedora Wiki. Would this be the correct page:

  <https://fedoraproject.org/wiki/SELinux_FAQ>
Comment 26 Daniel Walsh 2010-08-30 12:43:11 EDT
We have three choices on this.

Run firefox as execmem_t which allows this access.  

chcon -t execmem_exec_t /usr/bin/firefox

But since firefox is the main app that we want to prevent from being hacked, this is of limited value.

You can turn off the check altogether

# setsebool -P allow_execstack 1

Or not use the oracle java plugin.
Comment 27 Stefan Becker 2010-08-30 13:07:09 EDT
ad 1) agreed


ad 2) would it be possible to put this into a wrapper? I.e. enable the boolean only for the one firefox process started by this wrapper. Something with "runcon", but available to non-root users?

This firefox process is not used for internet access outside the company, i.e. proxy is disabled. So disabling exec_stack only for this process would be acceptable.

That solution could then be put up on the SELinux FAQ.


ad 3) unfortunately not an option. There seems to be a lot of commercial Java SW that only works correctly with Oracle Java :-/
Comment 28 Daniel Walsh 2010-08-30 13:26:30 EDT
You can run firefox within a sandbox environment granting you full access to execstack but protecting the rest of you desktop
Comment 29 Stefan Becker 2010-08-30 13:48:42 EDT
Me stupid, please spell it out or point to some instructions.

According to your blog example I tried:

sandbox -X -T ~/java_sand_box/__tmp -H ~/java_sand_box -t sandbox_web_t /usr/bin/firefox -P Java

I only get a busy setroubleshootd processing an endless list of 

    SELinux is preventing /usr/bin/Xephyr from binding to port 6160.
Comment 30 Stefan Becker 2010-08-30 14:01:24 EDT
I guess -T /tmp/xxx (and not in your home directory) might be relevant.

Changed that, but still no Xephyr window :-( Process seems to be running:

 3897 pts/5    00:00:00   bash
 5048 pts/5    00:00:00     sandbox
 5050 pts/5    00:00:00       seunshare
 5051 pts/5    00:00:00         sandboxX.sh
 5058 pts/5    00:00:00           Xephyr
 5059 pts/5    00:00:00           sandboxX.sh

3 types of SELinux errors:

SELinux is preventing /usr/bin/Xephyr "name_bind" access .
SELinux is preventing /usr/bin/Xephyr "module_request" access on <Unknown>.
SELinux is preventing /usr/bin/Xephyr from binding to port 6152.
Comment 31 Daniel Walsh 2010-08-30 14:18:02 EDT
Are you fully yum update?

You also need to reboot.  But not sure what is going wrong.
Comment 32 Stefan Becker 2010-08-30 15:47:17 EDT
yum update shows "no packages" for this F14 machine.

policycoreutils-2.0.83-21.fc14.i686
policycoreutils-gui-2.0.83-21.fc14.i686
policycoreutils-python-2.0.83-21.fc14.i686
policycoreutils-sandbox-2.0.83-21.fc14.i686
selinux-policy-3.8.8-20.fc14.noarch
selinux-policy-targeted-3.8.8-20.fc14.noarch
xorg-x11-server-Xephyr-1.9.0-4.fc14.i686

I just rebooted it and tried again: same SELinux errors and no sandbox :-(
Comment 33 Daniel Walsh 2010-08-30 17:38:28 EDT
Ping me on line #fedora tomorrow and we can talk about what is going on.
Comment 34 Stefan Becker 2010-08-31 14:25:02 EDT
We debugged  the "sandbox -X" problem and I reported it as separate bug #629032. It has nothing to do with the problem reported here.

When the sandbox is running the Java plugin does start to work without execstack AVCs.
Comment 35 mdeggers 2010-11-03 16:12:55 EDT
I'm not seeing the problem with the Java plugin. However, I did get the plugins SELinux execstack warning (I'm running in permissive mode).

I'm running the following on a freshly upgraded F13-F14:

kernel:  2.6.35.6-48.fc14.i686
video:   NVIDIA-Linux-x86-256.53 (hand-installed from NVidia)
         cannot upgrade - over-clocking doesn't work in the latest release
firefox: firefox-3.6.12-1.fc14.i686
java:    jre/jdk 1.6.0_22 (hand-installed from Oracle/Sun)

I found the following by running your find command in /usr/lib

X /usr/lib/vlc/plugins/codec/libdmo_plugin.so
X /usr/lib/vlc/plugins/codec/librealvideo_plugin.so
X /usr/lib/libmono.so.0.0.0
X /usr/lib/libstdc++-libc6.2-2.so.3
X /usr/lib/libmono.so.0
X /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so
X /usr/lib/libmono.so

The VLC plugins are provided by vlc-core-1.1.4-4.fc14.i686, which is installed. However, there doesn't seem to be a plugin relating to vlc in /usr/lib/mozilla.

The Mono library doesn't surprise me. I have notes about Mono and SELinux dating from August 2008. I've pretty much given up trying to run Mono or mod_mono on any system using SELinux.

The libstdc++ surprises me. Could that be the source of the problem?
Comment 36 Alan Mesanovic 2010-11-03 19:37:45 EDT
find /usr/lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X
X /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so
execstack: "/usr/lib/.libfipscheck.so.1.hmac" is not an ELF file
execstack: "/usr/lib/.libfipscheck.so.1.1.0.hmac" is not an ELF file
execstack: cannot open "/usr/lib/mozilla/plugins-wrapped/libnpjp2.so": No such file or directory
X /usr/lib/vlc/plugins/codec/librealvideo_plugin.so
X /usr/lib/vlc/plugins/codec/libdmo_plugin.so
execstack: "/usr/lib/.libssl.so.10.hmac" is not an ELF file
execstack: "/usr/lib/.libssl.so.1.0.0a.hmac" is not an ELF file
X /usr/lib/libstdc++-libc6.2-2.so.3

-Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03)

-jre1.6.0_22 (hand-installed from Oracle/Sun)

 My SELinux alerts started when I've created symlink as follows;
ln -s  /opt/jre1.6.0_22/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so  -but the plugin was never really installed/added (tested on www.java.com)

-Creating symlink as user in /home/.mozilla/plugins produces the same alerts

-I've removed the symlink and now right click in Firefox doesn't work and I can't see tooltips on some websites when hovering mouse pointer over hyperlink

-I've tried to download the jre1.6.0_22 again but simple click on the hyperlink for download produces new AVC denial

-I did everything the same with Google Chrome and everything just works
Comment 37 Daniel Walsh 2010-11-04 13:48:50 EDT
If you clear the execstack flag  does it work?

execstack -c /usr/lib/libstdc++-libc6.2-2.so.3
Comment 38 Garrett Mitchener 2010-11-04 15:43:03 EDT
I'm seeing the same problem.  On my system, the java and flash plugins are not marked as to whether they require execstack:

execstack -q /usr/lib/jvm/java-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so 

? /usr/lib/jvm/java-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so
Comment 39 Alan Mesanovic 2010-11-04 22:17:18 EDT
Garrett, libjavaplugin_oji.so should not be used with Firefox 3.6, that worked with older versions of Firefox, now you should use libnpjp2.so, as recommended by Sun/Oracle.

Clearing execstack does not work. To make few things clear, I'm on 32 bit system, Fedora 14, with all updates as of this moment. I had more than 60 denials, which was: SELinux is preventing /usr/lib/firefox-3.6/firefox from making the program stack executable. Only one was about /nspluginwrapper/plugin-config


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        plugin-config
Source Path                   /usr/lib/nspluginwrapper/plugin-config
Port                          <Unknown>
Host                          Freedom
Source RPM Packages           firefox-3.6.12-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     Freedom
Platform                      Linux Freedom 2.6.35.6-48.fc14.i686 #1 SMP Fri Oct
                              22 15:34:36 UTC 2010 i686 i686
Alert Count                   63
First Seen                    Wed 03 Nov 2010 01:54:05 AM CET
Last Seen                     Fri 05 Nov 2010 03:05:01 AM CET
Local ID                      7a1009d9-26ef-4785-86ff-1f9fb74c0721
Line Numbers                  

Raw Audit Messages            

node=Freedom type=AVC msg=audit(1288922701.388:32): avc:  denied  { execstack } for  pid=2342 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=Freedom type=SYSCALL msg=audit(1288922701.388:32): arch=40000003 syscall=125 success=no exit=-13 a0=bfda5000 a1=1000 a2=1000007 a3=bfd9e3b4 items=0 ppid=2313 pid=2342 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

- It is obvious that something in the policy needs to be fixed
Comment 40 Garrett Mitchener 2010-11-05 11:44:15 EDT
Right, sorry, wrong file, but it has the same problem:

[root@grograman]# execstack -q /usr/lib/mozilla/plugins/*
- /usr/lib/mozilla/plugins/libflashplayer.so
? /usr/lib/mozilla/plugins/libnpjp2.so
- /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
- /usr/lib/mozilla/plugins/libtotem-gmp-plugin.so
- /usr/lib/mozilla/plugins/libtotem-mully-plugin.so
- /usr/lib/mozilla/plugins/libtotem-narrowspace-plugin.so
- /usr/lib/mozilla/plugins/nppdf.so

so libnpj2.so has the same setting.

At the moment, I'm running with the execscack check turned off:

setsebool -P allow_execstack 1

which isn't as secure but at least everything works.
Comment 41 Daniel Walsh 2010-11-05 13:35:43 EDT
Looks like you are either going to need to label firefox as execmem_exec_t or run with the execstack check turned off for unconfined processes.

I think the problem is plugins like java starting to be executed within firefox.
Comment 42 Fedora Admin XMLRPC Client 2010-11-08 16:49:50 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 43 Fedora Admin XMLRPC Client 2010-11-08 16:51:22 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 44 Fedora Admin XMLRPC Client 2010-11-08 16:52:44 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 45 Daniel Belton 2010-11-08 22:10:30 EST
I too am getting the same errors on a fresh install of F14 and the Oracle/Sun java.


Summary:

SELinux is preventing /usr/lib/firefox-3.6/firefox from making the program stack
executable.

Detailed Description:

The firefox application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to
run correctly, you can change the context of the executable to execmem_exec_t.
"chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox'" You must also change
the default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/lib/firefox-3.6/firefox'"

Fix Command:

chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        plugin-config
Source Path                   /usr/lib/nspluginwrapper/plugin-config
Port                          <Unknown>
Host                          tower10.home
Source RPM Packages           firefox-3.6.12-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     tower10.home
Platform                      Linux tower10.home 2.6.35.6-48.fc14.i686 #1 SMP
                              Fri Oct 22 15:34:36 UTC 2010 i686 i686
Alert Count                   35
First Seen                    Mon 08 Nov 2010 01:42:12 PM CST
Last Seen                     Mon 08 Nov 2010 08:44:43 PM CST
Local ID                      a9ef1964-274a-4637-9f80-bb8872566f15
Line Numbers                  

Raw Audit Messages            

node=tower10.home type=AVC msg=audit(1289270683.246:39981): avc:  denied  { execstack } for  pid=10801 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=tower10.home type=SYSCALL msg=audit(1289270683.246:39981): arch=40000003 syscall=125 success=no exit=-13 a0=bfbd1000 a1=1000 a2=1000007 a3=bfbca8d4 items=0 ppid=10782 pid=10801 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


I have done a fresh install from the DVD, then a complete yum update. Installed the Oracle/Sun java, and get the SELinux messages.

I wish I could run without the Oracle/Sun java, but there are quite a few things that I need that don't work properly without it.
Comment 46 Daniel Walsh 2010-11-09 08:25:56 EST
#setsebool -P allow_execstack 1


Will stop the check, or you could execute 

The chcon command specified in the alert.
Comment 47 Daniel Walsh 2010-11-09 08:26:32 EST
*** Bug 597617 has been marked as a duplicate of this bug. ***
Comment 48 Erik Johansson 2010-11-26 23:13:41 EST
Hello,

I am seeing this bug for the first time today. I managed to hose my system this morning and did a complete fresh install of F14, followed by all the updates (the original system was F14 as well). After installing the nspluginwrapper, every time I start firefox, I get an SELinux AVC error stating that it is preventing /usr/lib64/nspluginwrapper/plugin-config from making the program stack executable. I have had the program stack executable problem previously with the java plugin for firefox and the adobe reader (for which I had , but not with the nspluginwrapper itself.

I notice that both the SELinux policy and the nspluginwrapper packages were updated quite recently:

nspluginwrapper 1.3.0-15.fc14 x86_64:

FEDORA-2010-17812

       Release : Fedora 14
          Type : bugfix
        Status : stable
        Issued : 2010-11-16 22:09:28
   Description : fixes cooperation with spice-xpi package.

Both selinux-policy and selinux-policy-targeted are 3.9.7-12.fc14:

FEDORA-2010-17968

       Release : Fedora 14
          Type : bugfix
        Status : stable
        Issued : 2010-11-19 21:55:12

Any help you can give me is appreciated. All google searches on this subject come up with older versions and other unrelated issues.

Thanks,

Erik
Comment 49 Daniel Walsh 2010-11-29 15:36:07 EST
Simplest thing is to execute

#setsebool -P allow_execstack 1

Are you running the java plugin from oracle?
Comment 50 Erik Johansson 2010-11-29 16:41:41 EST
Hi Daniel,

Yes, I am using the java plugin from oracle. I have had to separately enable stack execution for the plugin as follows:

sudo chcon -t execmem_exec_t /usr/lib64/firefox-3.6/firefox

If I reset to the current SELinux policy for firefox, I get a separate AVC denail for firefox:

SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program
stack executable.

The problem I am reporting about here is specific to the nspluginwrapper. I was not getting any AVC denials for nspluginwrapper until I rebuilt my system on Saturday. Please note that prior to the rebuild I was most likely running with the previous versions of the wrapper and SELinux policy from what I listed above in my initial report.

Hope this information helps.

Many thanks for your reply and assistance,

Erik
Comment 51 dilworthscott 2010-12-04 15:19:56 EST
Sorry guys I am a nubi, just installed a program called easylife. It download all the free and non free apps tho make fedura linux 14 user friendly and work with many different programs. After the install I keep getting this working. Is it a virus or is this normal. My biggest problem before I installed it was that I could not get the codes I needed to make flash work correctly. Now except for this problem everything works like a charm
Comment 52 Daniel Walsh 2010-12-06 14:40:23 EST
Did you turn off the check using allow_execstack

setsebool -P allow_execstack 1
Comment 53 Nicolas Karmazyn 2010-12-06 15:23:51 EST
(In reply to comment #52)
> Did you turn off the check using allow_execstack
> 
> setsebool -P allow_execstack 1

Thanks Dan for the advise, it works fine now. I only hope that execstack are not tha major "security problem"
Comment 54 Daniel Walsh 2010-12-06 16:18:16 EST
Well it allows an unconfined app to be more unconfined :^).  You have loosened the security a little over the default but not as much as if you had disabled SELinux altogether.  The problem is oracle/sun have decided to run java engine within the same process as firefox.  Since java requires execmem/execstack to run, we end up having to turn the permission off for either just firefox or for the entire user session.  This boolean does not effect any confined processes on your system.
Comment 55 Nicolas Karmazyn 2010-12-06 16:48:04 EST
(In reply to comment #54)
> ...not as much as if you had disabled SELinux altogether. 

I couldn't have say more

(In reply to comment #54)
The problem is oracle/sun have decided to run java engine
> within the same process as firefox.  Since java requires execmem/execstack to
> run, we end up having to turn the permission off for either just firefox or for
> the entire user session.  This boolean does not effect any confined processes
> on your system.
Anyway I hope that Oracle will find a solution to help to improve the system security.


But more, thanks for your reactivity and for your job
Comment 56 Jediah Logiodice 2010-12-12 00:02:00 EST
This bug has followed me from two versions of Fedora r13/r14 - it did not happen with the standard firefox load even after hours of use; but happened quite soon after installing some extensions / addons.

When it happens, it corrupts my video memory, causing the entire screen to become scrambled; I originally thought it was corrupting the heap; but the selinux report seems to suggest that it is trying to execute code on the stack (could still be a heap/stack over/under-run issue).

Here are the extensions/addons I have loaded.

Dom Inspector
FireBug
FireDownload
FlagFox
FoxyProxy
Personas
Tamper Data
World IP

My current suspect is Dom Inspector, as many of the extensions were running for quite a while before Dom Inspector was installed; and now I have disabled it to give FF a while to see if it will crash again corrupting my video driver...
Comment 57 Daniel Walsh 2010-12-13 09:36:06 EST
You could look for the bad libraries using the 

find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X
find /lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X

Note You need to log in before you can comment on or make changes to this bug.