Sumário: SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from making the program stack executable. Descrição detalhada: [plugin-config tem um tipo permissivo (unconfined_t). Esse acesso não foi negado.] The plugin-config application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If plugin-config does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report. Permitindo acesso: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust plugin-config to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/lib64/nspluginwrapper/plugin-config'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/lib64/nspluginwrapper/plugin-config'" Comando de correção: chcon -t execmem_exec_t '/usr/lib64/nspluginwrapper/plugin-config' Informações adicionais: Contexto de origem unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Contexto de destino unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Objetos de destino None [ process ] Origem plugin-config Caminho da origem /usr/lib64/nspluginwrapper/plugin-config Porta <Desconhecido> Máquina (removed) Pacotes RPM de origem nspluginwrapper-1.3.0-11.fc13 Pacotes RPM de destino RPM da política selinux-policy-3.7.10-3.fc13 Selinux habilitado True Tipo de política targeted Modo reforçado Enforcing Nome do plugin allow_execstack Nome da máquina (removed) Plataforma Linux familia-desktop 2.6.33-0.52.rc8.git6.fc13.x86_64 #1 SMP Tue Feb 23 04:52:05 UTC 2010 x86_64 x86_64 Contador de alertas 8 Visto pela primeira vez em Qui 11 Mar 2010 20:24:43 BRT Visto pela última vez em Qui 11 Mar 2010 22:46:58 BRT ID local 360d0fc2-dcb2-4531-9fc2-34157def31be Números de linha Mensagens de auditoria não p node=familia-desktop type=AVC msg=audit(1268358418.31:36724): avc: denied { execstack } for pid=27695 comm="plugin-config" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=familia-desktop type=SYSCALL msg=audit(1268358418.31:36724): arch=c000003e syscall=10 success=yes exit=4294967424 a0=7fff99d61000 a1=1000 a2=1000007 a3=368c61aab9 items=0 ppid=27693 pid=27695 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="plugin-config" exe="/usr/lib64/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from allow_execstack,plugin-config,unconfined_t,unconfined_t,process,execstack audit2allow suggests: #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execstack' allow unconfined_t self:process execstack;
You are using a plugin that is potentially a problem. You can turn on the allow_execstack boolean setsebool -P allow_execstack 1 Which will turn off the checking for unconfined processes. Or you can attempt to turn on setsebool -P allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1 Which will turn on the permission only for nsplugin. Or you can remove the plugin that is causing the problem.
It's a Fedora 13 fresh install, no extra plugins installed.
Are you using nvidia?
Yes, the onboard nvidia chip on Biostar MCP6PM2+ motherboard. Nouveau driver.
That might be the problem.
Can you see if a library has the execstack flag find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X find /lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X
Created attachment 399784 [details] out of commands Nothing else but a lot of execstack: "........so" is not an ELF file
(In reply to comment #7) > Nothing else but a lot of Repeat it for /lib and /usr/lib as well. This might be one of the 32-bit binaries. Especially since the nspluinwrapper used might be the 32-bit version.
Sorry for the late reply.. I was traveling last week. No output for the 32bit directories... [root@familia-desktop ~]# find /usr/lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X [root@familia-desktop ~]# find /lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X [root@familia-desktop ~]# Any more ideas?
Are you still seeing this problem. I seem to have dropped the ball on this bug, in the flood of bugzillas.
I just did a preupgrade from F13 to F14 Alpha and get the error from the Sun Java plugin, i.e. Java is not working in the firefox profile where I have enabled Java. This is my work laptop, so I "borrowed" the Sun Java packages from RHEL5 :-P $ rpm -qa java-1.6.0-sun* java-1.6.0-sun-devel-1.6.0.18-1jpp.2.el5.i586 java-1.6.0-sun-plugin-1.6.0.18-1jpp.2.el5.i586 java-1.6.0-sun-1.6.0.18-1jpp.2.el5.i586 I found bug #533486, but all of the checks from there turn up OK: - no library marked "execstack" - all Java binaries are marked java_exec_t: $ ls -lZ /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/bin /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/jre/bin | fgrep -v java_exec_t /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/bin: lrwxrwxrwx. root root system_u:object_r:bin_t:s0 ControlPanel -> ./jcontrol /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/jre/bin: - Java plugin symlink setup (alternatives): $ ls -Z /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so /usr/lib/mozilla/plugins/libjavaplugin.so /etc/alternatives/libjavaplugin.so /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so | sort lrwxrwxrwx. root root system_u:object_r:nsplugin_rw_t:s0 /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so -> /usr/lib/mozilla/plugins/libjavaplugin.so lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0 /etc/alternatives/libjavaplugin.so -> /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so lrwxrwxrwx. root root unconfined_u:object_r:lib_t:s0 /usr/lib/mozilla/plugins/libjavaplugin.so -> /etc/alternatives/libjavaplugin.so -rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so - firefox process context: $ ps -eZ | fgrep firefox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9875 ? 00:01:14 firefox Is there anything else you need? I'm going to try the nsplugin workarounds now...
Forgot this bit of info: # getsebool -a | fgrep nsplugin allow_nsplugin_execmem --> on allow_unconfined_nsplugin_transition --> off nsplugin_can_network --> on
Only by enabling allow_execstack does the Java plugin work on my system. firefox-3.6.7-1.fc13.i686 java-1.6.0-sun-1.6.0.18-1jpp.2.el5.i586 java-1.6.0-sun-devel-1.6.0.18-1jpp.2.el5.i586 java-1.6.0-sun-plugin-1.6.0.18-1jpp.2.el5.i586 kernel-2.6.35.2-9.fc14.i686 selinux-policy-3.8.8-14.fc14.noarch selinux-policy-targeted-3.8.8-14.fc14.noarch Linux localhost.localdomain 2.6.35.2-9.fc14.i686 #1 SMP Tue Aug 17 22:54:19 UTC 2010 i686 i686 i386 GNU/Linux
What AVC are you seeing?
Back to original configuration: # getsebool -a | fgrep -e nsplugin -e execstack allow_execstack --> off allow_java_execstack --> off allow_mplayer_execstack --> off allow_nsplugin_execmem --> on allow_unconfined_nsplugin_transition --> off nsplugin_can_network --> on Starting firefox with the Java-enabled profile and a home page with a java app: type=AVC msg=audit(1282754556.084:1145): avc: denied { execstack } for pid=5883 comm="plugin-config" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754556.084:1145): arch=40000003 syscall=125 success=no exit=-13 a0=bff97000 a1=1000 a2=1000007 a3=bff8e750 items=0 ppid=5881 pid=5883 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754558.559:1146): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754558.559:1146): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3a40 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754558.573:1147): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754558.573:1147): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3a40 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754561.003:1148): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754561.003:1148): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754561.005:1149): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754561.005:1149): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754561.018:1150): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754561.018:1150): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3e50 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754561.019:1151): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754561.019:1151): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3e50 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754561.023:1152): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754561.023:1152): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1282754561.023:1153): avc: denied { execstack } for pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1282754561.023:1153): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Strange that no one else is seeing this. You could try setsebool -P allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1
I did: # getsebool -a | fgrep -e nsplugin -e execstack allow_execstack --> off allow_java_execstack --> off allow_mplayer_execstack --> off allow_nsplugin_execmem --> on allow_unconfined_nsplugin_transition --> off # setsebool allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1 # getsebool -a | fgrep -e nsplugin -e execstack allow_execstack --> off allow_java_execstack --> off allow_mplayer_execstack --> off allow_nsplugin_execmem --> on allow_unconfined_nsplugin_transition --> on nsplugin_can_network --> on Java plugin still doesn't work. To repeat, the following *does* work: # setsebool allow_unconfined_nsplugin_transition=0 allow_execstack=1 # getsebool -a | fgrep -e nsplugin -e execstack allow_execstack --> on allow_java_execstack --> off allow_mplayer_execstack --> off allow_nsplugin_execmem --> on allow_unconfined_nsplugin_transition --> off nsplugin_can_network --> on
What AVC are you getting now? You did restart firefox?
Created attachment 441266 [details] firefox AVCs with allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1 Repeat of first part from comment #17. After setsebool I start a new firefox process with the Java-enabled profile. I have another firefox process with my default profile. That doesn't have Java enabled. That shouldn't affect the other firefox process?
So firefox is running jave from within its process rather then executing a helper app? You could change the context of firefox to java_exec_t and run it that way. This would allow you to have allow_execstack turned off for the rest of the session. chcon -t java_exec_t PATHTO/firefox
Yes, chcon -t java_exec_t /usr/lib/firefox-3.6/firefox seems to work. But: - this wouldn't be a permanent solution, i.e. the next firefox update would reset it. What would be a solution for everybody? - the original type is "mozilla_exec_t", so don't I loose all those permissions? Or is "java_exec_t" a superset that is less restrictive than "mozilla_exec_t"? - If I understand the following correctly, nspluginwrapper does *specifically* exclude the Java plugin from wrapping, i.e. there is no "helper application": # mozilla-plugin-config --list EXCLUDE_WRAP: ... libjavaplugin* ... Wrapper version string: X (1.3.0) File/Link /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so File/Link /usr/lib/mozilla/plugins-wrapped/libtotem-gmp-plugin.so ... - as the Sun Java RPMs are from RHEL Desktop Supplementary Packages and with the upcoming RHEL6 based on FC12(?): how will this problem solved for RHEL6? Would an update to the RHEL6 Sun Java RPMs fix it (I'm not sure they are included in the Betas already)? - Would sandbox be a solution? E.g. something like sandbox -t java_exec_t /usr/bin/firefox -P <profile>
Sorry, sandbox is of course the wrong approach. I tried runcon, but SELinux doesn't seem to allow that for non-root users: $ MOZ_NO_REMOTE=1 runcon system_u:object_r:java_exec_t:s0 /usr/bin/firefox -P Java runcon: /usr/bin/firefox: Permission denied
Looks like https://bugzilla.redhat.com/show_bug.cgi?id=628031 Has the same problem. I think the best solution for now is to turn the check off. setsebool -P allow_execstack 0
Oops I meant. setsebool -P allow_execstack 1
OK, so I'm assuming this will not be put into the standard policy, as you closed bug #628031 as CANTFIX? I wonder how you want to solve this for RHEL6 where the java-sun packages are part of the delivery. At minimum this should be documented on the Fedora Wiki. Would this be the correct page: <https://fedoraproject.org/wiki/SELinux_FAQ>
We have three choices on this. Run firefox as execmem_t which allows this access. chcon -t execmem_exec_t /usr/bin/firefox But since firefox is the main app that we want to prevent from being hacked, this is of limited value. You can turn off the check altogether # setsebool -P allow_execstack 1 Or not use the oracle java plugin.
ad 1) agreed ad 2) would it be possible to put this into a wrapper? I.e. enable the boolean only for the one firefox process started by this wrapper. Something with "runcon", but available to non-root users? This firefox process is not used for internet access outside the company, i.e. proxy is disabled. So disabling exec_stack only for this process would be acceptable. That solution could then be put up on the SELinux FAQ. ad 3) unfortunately not an option. There seems to be a lot of commercial Java SW that only works correctly with Oracle Java :-/
You can run firefox within a sandbox environment granting you full access to execstack but protecting the rest of you desktop
Me stupid, please spell it out or point to some instructions. According to your blog example I tried: sandbox -X -T ~/java_sand_box/__tmp -H ~/java_sand_box -t sandbox_web_t /usr/bin/firefox -P Java I only get a busy setroubleshootd processing an endless list of SELinux is preventing /usr/bin/Xephyr from binding to port 6160.
I guess -T /tmp/xxx (and not in your home directory) might be relevant. Changed that, but still no Xephyr window :-( Process seems to be running: 3897 pts/5 00:00:00 bash 5048 pts/5 00:00:00 sandbox 5050 pts/5 00:00:00 seunshare 5051 pts/5 00:00:00 sandboxX.sh 5058 pts/5 00:00:00 Xephyr 5059 pts/5 00:00:00 sandboxX.sh 3 types of SELinux errors: SELinux is preventing /usr/bin/Xephyr "name_bind" access . SELinux is preventing /usr/bin/Xephyr "module_request" access on <Unknown>. SELinux is preventing /usr/bin/Xephyr from binding to port 6152.
Are you fully yum update? You also need to reboot. But not sure what is going wrong.
yum update shows "no packages" for this F14 machine. policycoreutils-2.0.83-21.fc14.i686 policycoreutils-gui-2.0.83-21.fc14.i686 policycoreutils-python-2.0.83-21.fc14.i686 policycoreutils-sandbox-2.0.83-21.fc14.i686 selinux-policy-3.8.8-20.fc14.noarch selinux-policy-targeted-3.8.8-20.fc14.noarch xorg-x11-server-Xephyr-1.9.0-4.fc14.i686 I just rebooted it and tried again: same SELinux errors and no sandbox :-(
Ping me on line #fedora tomorrow and we can talk about what is going on.
We debugged the "sandbox -X" problem and I reported it as separate bug #629032. It has nothing to do with the problem reported here. When the sandbox is running the Java plugin does start to work without execstack AVCs.
I'm not seeing the problem with the Java plugin. However, I did get the plugins SELinux execstack warning (I'm running in permissive mode). I'm running the following on a freshly upgraded F13-F14: kernel: 2.6.35.6-48.fc14.i686 video: NVIDIA-Linux-x86-256.53 (hand-installed from NVidia) cannot upgrade - over-clocking doesn't work in the latest release firefox: firefox-3.6.12-1.fc14.i686 java: jre/jdk 1.6.0_22 (hand-installed from Oracle/Sun) I found the following by running your find command in /usr/lib X /usr/lib/vlc/plugins/codec/libdmo_plugin.so X /usr/lib/vlc/plugins/codec/librealvideo_plugin.so X /usr/lib/libmono.so.0.0.0 X /usr/lib/libstdc++-libc6.2-2.so.3 X /usr/lib/libmono.so.0 X /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so X /usr/lib/libmono.so The VLC plugins are provided by vlc-core-1.1.4-4.fc14.i686, which is installed. However, there doesn't seem to be a plugin relating to vlc in /usr/lib/mozilla. The Mono library doesn't surprise me. I have notes about Mono and SELinux dating from August 2008. I've pretty much given up trying to run Mono or mod_mono on any system using SELinux. The libstdc++ surprises me. Could that be the source of the problem?
find /usr/lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X X /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so execstack: "/usr/lib/.libfipscheck.so.1.hmac" is not an ELF file execstack: "/usr/lib/.libfipscheck.so.1.1.0.hmac" is not an ELF file execstack: cannot open "/usr/lib/mozilla/plugins-wrapped/libnpjp2.so": No such file or directory X /usr/lib/vlc/plugins/codec/librealvideo_plugin.so X /usr/lib/vlc/plugins/codec/libdmo_plugin.so execstack: "/usr/lib/.libssl.so.10.hmac" is not an ELF file execstack: "/usr/lib/.libssl.so.1.0.0a.hmac" is not an ELF file X /usr/lib/libstdc++-libc6.2-2.so.3 -Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03) -jre1.6.0_22 (hand-installed from Oracle/Sun) My SELinux alerts started when I've created symlink as follows; ln -s /opt/jre1.6.0_22/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so -but the plugin was never really installed/added (tested on www.java.com) -Creating symlink as user in /home/.mozilla/plugins produces the same alerts -I've removed the symlink and now right click in Firefox doesn't work and I can't see tooltips on some websites when hovering mouse pointer over hyperlink -I've tried to download the jre1.6.0_22 again but simple click on the hyperlink for download produces new AVC denial -I did everything the same with Google Chrome and everything just works
If you clear the execstack flag does it work? execstack -c /usr/lib/libstdc++-libc6.2-2.so.3
I'm seeing the same problem. On my system, the java and flash plugins are not marked as to whether they require execstack: execstack -q /usr/lib/jvm/java-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so ? /usr/lib/jvm/java-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so
Garrett, libjavaplugin_oji.so should not be used with Firefox 3.6, that worked with older versions of Firefox, now you should use libnpjp2.so, as recommended by Sun/Oracle. Clearing execstack does not work. To make few things clear, I'm on 32 bit system, Fedora 14, with all updates as of this moment. I had more than 60 denials, which was: SELinux is preventing /usr/lib/firefox-3.6/firefox from making the program stack executable. Only one was about /nspluginwrapper/plugin-config Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source plugin-config Source Path /usr/lib/nspluginwrapper/plugin-config Port <Unknown> Host Freedom Source RPM Packages firefox-3.6.12-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execstack Host Name Freedom Platform Linux Freedom 2.6.35.6-48.fc14.i686 #1 SMP Fri Oct 22 15:34:36 UTC 2010 i686 i686 Alert Count 63 First Seen Wed 03 Nov 2010 01:54:05 AM CET Last Seen Fri 05 Nov 2010 03:05:01 AM CET Local ID 7a1009d9-26ef-4785-86ff-1f9fb74c0721 Line Numbers Raw Audit Messages node=Freedom type=AVC msg=audit(1288922701.388:32): avc: denied { execstack } for pid=2342 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=Freedom type=SYSCALL msg=audit(1288922701.388:32): arch=40000003 syscall=125 success=no exit=-13 a0=bfda5000 a1=1000 a2=1000007 a3=bfd9e3b4 items=0 ppid=2313 pid=2342 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) - It is obvious that something in the policy needs to be fixed
Right, sorry, wrong file, but it has the same problem: [root@grograman]# execstack -q /usr/lib/mozilla/plugins/* - /usr/lib/mozilla/plugins/libflashplayer.so ? /usr/lib/mozilla/plugins/libnpjp2.so - /usr/lib/mozilla/plugins/libtotem-cone-plugin.so - /usr/lib/mozilla/plugins/libtotem-gmp-plugin.so - /usr/lib/mozilla/plugins/libtotem-mully-plugin.so - /usr/lib/mozilla/plugins/libtotem-narrowspace-plugin.so - /usr/lib/mozilla/plugins/nppdf.so so libnpj2.so has the same setting. At the moment, I'm running with the execscack check turned off: setsebool -P allow_execstack 1 which isn't as secure but at least everything works.
Looks like you are either going to need to label firefox as execmem_exec_t or run with the execstack check turned off for unconfined processes. I think the problem is plugins like java starting to be executed within firefox.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
I too am getting the same errors on a fresh install of F14 and the Oracle/Sun java. Summary: SELinux is preventing /usr/lib/firefox-3.6/firefox from making the program stack executable. Detailed Description: The firefox application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/lib/firefox-3.6/firefox'" Fix Command: chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source plugin-config Source Path /usr/lib/nspluginwrapper/plugin-config Port <Unknown> Host tower10.home Source RPM Packages firefox-3.6.12-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execstack Host Name tower10.home Platform Linux tower10.home 2.6.35.6-48.fc14.i686 #1 SMP Fri Oct 22 15:34:36 UTC 2010 i686 i686 Alert Count 35 First Seen Mon 08 Nov 2010 01:42:12 PM CST Last Seen Mon 08 Nov 2010 08:44:43 PM CST Local ID a9ef1964-274a-4637-9f80-bb8872566f15 Line Numbers Raw Audit Messages node=tower10.home type=AVC msg=audit(1289270683.246:39981): avc: denied { execstack } for pid=10801 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=tower10.home type=SYSCALL msg=audit(1289270683.246:39981): arch=40000003 syscall=125 success=no exit=-13 a0=bfbd1000 a1=1000 a2=1000007 a3=bfbca8d4 items=0 ppid=10782 pid=10801 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) I have done a fresh install from the DVD, then a complete yum update. Installed the Oracle/Sun java, and get the SELinux messages. I wish I could run without the Oracle/Sun java, but there are quite a few things that I need that don't work properly without it.
#setsebool -P allow_execstack 1 Will stop the check, or you could execute The chcon command specified in the alert.
*** Bug 597617 has been marked as a duplicate of this bug. ***
Hello, I am seeing this bug for the first time today. I managed to hose my system this morning and did a complete fresh install of F14, followed by all the updates (the original system was F14 as well). After installing the nspluginwrapper, every time I start firefox, I get an SELinux AVC error stating that it is preventing /usr/lib64/nspluginwrapper/plugin-config from making the program stack executable. I have had the program stack executable problem previously with the java plugin for firefox and the adobe reader (for which I had , but not with the nspluginwrapper itself. I notice that both the SELinux policy and the nspluginwrapper packages were updated quite recently: nspluginwrapper 1.3.0-15.fc14 x86_64: FEDORA-2010-17812 Release : Fedora 14 Type : bugfix Status : stable Issued : 2010-11-16 22:09:28 Description : fixes cooperation with spice-xpi package. Both selinux-policy and selinux-policy-targeted are 3.9.7-12.fc14: FEDORA-2010-17968 Release : Fedora 14 Type : bugfix Status : stable Issued : 2010-11-19 21:55:12 Any help you can give me is appreciated. All google searches on this subject come up with older versions and other unrelated issues. Thanks, Erik
Simplest thing is to execute #setsebool -P allow_execstack 1 Are you running the java plugin from oracle?
Hi Daniel, Yes, I am using the java plugin from oracle. I have had to separately enable stack execution for the plugin as follows: sudo chcon -t execmem_exec_t /usr/lib64/firefox-3.6/firefox If I reset to the current SELinux policy for firefox, I get a separate AVC denail for firefox: SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program stack executable. The problem I am reporting about here is specific to the nspluginwrapper. I was not getting any AVC denials for nspluginwrapper until I rebuilt my system on Saturday. Please note that prior to the rebuild I was most likely running with the previous versions of the wrapper and SELinux policy from what I listed above in my initial report. Hope this information helps. Many thanks for your reply and assistance, Erik
Sorry guys I am a nubi, just installed a program called easylife. It download all the free and non free apps tho make fedura linux 14 user friendly and work with many different programs. After the install I keep getting this working. Is it a virus or is this normal. My biggest problem before I installed it was that I could not get the codes I needed to make flash work correctly. Now except for this problem everything works like a charm
Did you turn off the check using allow_execstack setsebool -P allow_execstack 1
(In reply to comment #52) > Did you turn off the check using allow_execstack > > setsebool -P allow_execstack 1 Thanks Dan for the advise, it works fine now. I only hope that execstack are not tha major "security problem"
Well it allows an unconfined app to be more unconfined :^). You have loosened the security a little over the default but not as much as if you had disabled SELinux altogether. The problem is oracle/sun have decided to run java engine within the same process as firefox. Since java requires execmem/execstack to run, we end up having to turn the permission off for either just firefox or for the entire user session. This boolean does not effect any confined processes on your system.
(In reply to comment #54) > ...not as much as if you had disabled SELinux altogether. I couldn't have say more (In reply to comment #54) The problem is oracle/sun have decided to run java engine > within the same process as firefox. Since java requires execmem/execstack to > run, we end up having to turn the permission off for either just firefox or for > the entire user session. This boolean does not effect any confined processes > on your system. Anyway I hope that Oracle will find a solution to help to improve the system security. But more, thanks for your reactivity and for your job
This bug has followed me from two versions of Fedora r13/r14 - it did not happen with the standard firefox load even after hours of use; but happened quite soon after installing some extensions / addons. When it happens, it corrupts my video memory, causing the entire screen to become scrambled; I originally thought it was corrupting the heap; but the selinux report seems to suggest that it is trying to execute code on the stack (could still be a heap/stack over/under-run issue). Here are the extensions/addons I have loaded. Dom Inspector FireBug FireDownload FlagFox FoxyProxy Personas Tamper Data World IP My current suspect is Dom Inspector, as many of the extensions were running for quite a while before Dom Inspector was installed; and now I have disabled it to give FF a while to see if it will crash again corrupting my video driver...
You could look for the bad libraries using the find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X find /lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X