You are using a plugin that is potentially a problem.

You can turn on the allow_execstack boolean

setsebool -P allow_execstack 1

Which will turn off the checking for unconfined processes.

Or you can attempt to turn on 

setsebool -P allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1

Which will turn on the permission only for nsplugin.

Or you can remove the plugin that is causing the problem.

It's a Fedora 13 fresh install, no extra plugins installed.

Are you using nvidia?

Yes, the onboard nvidia chip on Biostar MCP6PM2+ motherboard.
Nouveau driver.

That might be the problem.

Can you see if a library has the execstack flag

find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X
find /lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X

Created attachment 399784 [details]
out of commands

Nothing else but a lot of 

execstack: "........so" is not an ELF file

(In reply to comment #7)
> Nothing else but a lot of 

Repeat it for /lib and /usr/lib as well.  This might be one of the 32-bit binaries.  Especially since the nspluinwrapper used might be the 32-bit version.

Sorry for the late reply.. I was traveling last week.

No output for the 32bit directories...

[root@familia-desktop ~]# find /usr/lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X
[root@familia-desktop ~]# find /lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X
[root@familia-desktop ~]# 


Any more ideas?

Are you still seeing this problem.  I seem to have dropped the ball on this bug, in the flood of bugzillas.

I just did a preupgrade from F13 to F14 Alpha and get the error from the Sun Java plugin, i.e. Java is not working in the firefox profile where I have enabled Java. This is my work laptop, so I "borrowed" the Sun Java packages from RHEL5 :-P

$ rpm -qa java-1.6.0-sun*
java-1.6.0-sun-devel-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-plugin-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-1.6.0.18-1jpp.2.el5.i586


I found bug #533486, but all of the checks from there turn up OK:

 - no library marked "execstack"

 - all Java binaries are marked java_exec_t:

$ ls -lZ /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/bin /usr/lib/jvm/java-1.6.0-sun-1.6.0.18/jre/bin | fgrep -v java_exec_t
/usr/lib/jvm/java-1.6.0-sun-1.6.0.18/bin:
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       ControlPanel -> ./jcontrol

/usr/lib/jvm/java-1.6.0-sun-1.6.0.18/jre/bin:

 - Java plugin symlink setup (alternatives):

$ ls -Z /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so /usr/lib/mozilla/plugins/libjavaplugin.so /etc/alternatives/libjavaplugin.so /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so | sort
lrwxrwxrwx. root root system_u:object_r:nsplugin_rw_t:s0 /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so -> /usr/lib/mozilla/plugins/libjavaplugin.so
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0   /etc/alternatives/libjavaplugin.so -> /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so
lrwxrwxrwx. root root unconfined_u:object_r:lib_t:s0   /usr/lib/mozilla/plugins/libjavaplugin.so -> /etc/alternatives/libjavaplugin.so
-rwxr-xr-x. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/jvm/jre-1.6.0-sun/lib/i386/libnpjp2.so

 - firefox process context:

$ ps -eZ | fgrep firefox
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9875 ? 00:01:14 firefox

Is there anything else you need? I'm going to try the nsplugin workarounds now...

Forgot this bit of info:

# getsebool -a | fgrep nsplugin
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off
nsplugin_can_network --> on

Only by enabling allow_execstack does the Java plugin work on my system.

firefox-3.6.7-1.fc13.i686
java-1.6.0-sun-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-devel-1.6.0.18-1jpp.2.el5.i586
java-1.6.0-sun-plugin-1.6.0.18-1jpp.2.el5.i586
kernel-2.6.35.2-9.fc14.i686
selinux-policy-3.8.8-14.fc14.noarch
selinux-policy-targeted-3.8.8-14.fc14.noarch

Linux localhost.localdomain 2.6.35.2-9.fc14.i686 #1 SMP Tue Aug 17 22:54:19 UTC 2010 i686 i686 i386 GNU/Linux

What AVC are you seeing?

Back to original configuration:

# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off
nsplugin_can_network --> on

Starting firefox with the Java-enabled profile and a home page with a java app:

type=AVC msg=audit(1282754556.084:1145): avc:  denied  { execstack } for  pid=5883 comm="plugin-config" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754556.084:1145): arch=40000003 syscall=125 success=no exit=-13 a0=bff97000 a1=1000 a2=1000007 a3=bff8e750 items=0 ppid=5881 pid=5883 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754558.559:1146): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754558.559:1146): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3a40 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754558.573:1147): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754558.573:1147): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3a40 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.003:1148): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.003:1148): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.005:1149): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.005:1149): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.018:1150): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.018:1150): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3e50 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.019:1151): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.019:1151): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3e50 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.023:1152): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.023:1152): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1282754561.023:1153): avc:  denied  { execstack } for  pid=5890 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1282754561.023:1153): arch=40000003 syscall=125 success=no exit=-13 a0=bf8da000 a1=1000 a2=1000007 a3=bf8d3f90 items=0 ppid=5878 pid=5890 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Strange that no one else is seeing this.  You could try

setsebool -P allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1

I did:

# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off

# setsebool allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1
# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> on
nsplugin_can_network --> on

Java plugin still doesn't work.

To repeat, the following *does* work:

# setsebool allow_unconfined_nsplugin_transition=0 allow_execstack=1
# getsebool -a | fgrep -e nsplugin -e execstack
allow_execstack --> on
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> off
nsplugin_can_network --> on

What AVC are you getting now?  You did restart firefox?

Created attachment 441266 [details]
firefox AVCs with allow_unconfined_nsplugin_transition=1 allow_nsplugin_execmem=1

Repeat of first part from comment #17. After setsebool I start a new firefox process with the Java-enabled profile.

I have another firefox process with my default profile. That doesn't have Java enabled. That shouldn't affect the other firefox process?

So firefox is running jave from within its process rather then executing a helper app?


You could change the context of firefox to java_exec_t and run it that way.  This would allow you to have allow_execstack turned off for the rest of the session.

chcon -t java_exec_t PATHTO/firefox

Yes,

  chcon -t java_exec_t /usr/lib/firefox-3.6/firefox

seems to work. But:

 - this wouldn't be a permanent solution, i.e. the next firefox update would reset it. What would be a solution for everybody?

 - the original type is "mozilla_exec_t", so don't I loose all those permissions? Or is "java_exec_t" a superset that is less restrictive than "mozilla_exec_t"?

 - If I understand the following correctly, nspluginwrapper does *specifically* exclude the Java plugin from wrapping, i.e. there is no "helper application":

# mozilla-plugin-config --list
EXCLUDE_WRAP:
...
libjavaplugin*
...
  Wrapper version string: X (1.3.0)
File/Link /usr/lib/mozilla/plugins-wrapped/libjavaplugin.so
File/Link /usr/lib/mozilla/plugins-wrapped/libtotem-gmp-plugin.so
...

 - as the Sun Java RPMs are from RHEL Desktop Supplementary Packages and with the upcoming RHEL6 based on FC12(?): how will this problem solved for RHEL6? Would an update to the RHEL6 Sun Java RPMs fix it (I'm not sure they are included in the Betas already)?

 - Would sandbox be a solution? E.g. something like

     sandbox -t java_exec_t /usr/bin/firefox -P <profile>

Sorry, sandbox is of course the wrong approach.

I tried runcon, but SELinux doesn't seem to allow that for non-root users:

  $ MOZ_NO_REMOTE=1 runcon system_u:object_r:java_exec_t:s0 /usr/bin/firefox -P Java
  runcon: /usr/bin/firefox: Permission denied

Looks like

https://bugzilla.redhat.com/show_bug.cgi?id=628031

Has the same problem.


I think the best solution for now is to turn the check off.

setsebool -P allow_execstack 0

Oops I meant.

setsebool -P allow_execstack 1

OK, so I'm assuming this will not be put into the standard policy, as you closed bug #628031 as CANTFIX? I wonder how you want to solve this for RHEL6 where the java-sun packages are part of the delivery.

At minimum this should be documented on the Fedora Wiki. Would this be the correct page:

  <https://fedoraproject.org/wiki/SELinux_FAQ>

We have three choices on this.

Run firefox as execmem_t which allows this access.  

chcon -t execmem_exec_t /usr/bin/firefox

But since firefox is the main app that we want to prevent from being hacked, this is of limited value.

You can turn off the check altogether

# setsebool -P allow_execstack 1

Or not use the oracle java plugin.

ad 1) agreed


ad 2) would it be possible to put this into a wrapper? I.e. enable the boolean only for the one firefox process started by this wrapper. Something with "runcon", but available to non-root users?

This firefox process is not used for internet access outside the company, i.e. proxy is disabled. So disabling exec_stack only for this process would be acceptable.

That solution could then be put up on the SELinux FAQ.


ad 3) unfortunately not an option. There seems to be a lot of commercial Java SW that only works correctly with Oracle Java :-/

You can run firefox within a sandbox environment granting you full access to execstack but protecting the rest of you desktop

Me stupid, please spell it out or point to some instructions.

According to your blog example I tried:

sandbox -X -T ~/java_sand_box/__tmp -H ~/java_sand_box -t sandbox_web_t /usr/bin/firefox -P Java

I only get a busy setroubleshootd processing an endless list of 

    SELinux is preventing /usr/bin/Xephyr from binding to port 6160.

I guess -T /tmp/xxx (and not in your home directory) might be relevant.

Changed that, but still no Xephyr window :-( Process seems to be running:

 3897 pts/5    00:00:00   bash
 5048 pts/5    00:00:00     sandbox
 5050 pts/5    00:00:00       seunshare
 5051 pts/5    00:00:00         sandboxX.sh
 5058 pts/5    00:00:00           Xephyr
 5059 pts/5    00:00:00           sandboxX.sh

3 types of SELinux errors:

SELinux is preventing /usr/bin/Xephyr "name_bind" access .
SELinux is preventing /usr/bin/Xephyr "module_request" access on <Unknown>.
SELinux is preventing /usr/bin/Xephyr from binding to port 6152.

Are you fully yum update?

You also need to reboot.  But not sure what is going wrong.

yum update shows "no packages" for this F14 machine.

policycoreutils-2.0.83-21.fc14.i686
policycoreutils-gui-2.0.83-21.fc14.i686
policycoreutils-python-2.0.83-21.fc14.i686
policycoreutils-sandbox-2.0.83-21.fc14.i686
selinux-policy-3.8.8-20.fc14.noarch
selinux-policy-targeted-3.8.8-20.fc14.noarch
xorg-x11-server-Xephyr-1.9.0-4.fc14.i686

I just rebooted it and tried again: same SELinux errors and no sandbox :-(

Ping me on line #fedora tomorrow and we can talk about what is going on.

We debugged  the "sandbox -X" problem and I reported it as separate bug #629032. It has nothing to do with the problem reported here.

When the sandbox is running the Java plugin does start to work without execstack AVCs.

I'm not seeing the problem with the Java plugin. However, I did get the plugins SELinux execstack warning (I'm running in permissive mode).

I'm running the following on a freshly upgraded F13-F14:

kernel:  2.6.35.6-48.fc14.i686
video:   NVIDIA-Linux-x86-256.53 (hand-installed from NVidia)
         cannot upgrade - over-clocking doesn't work in the latest release
firefox: firefox-3.6.12-1.fc14.i686
java:    jre/jdk 1.6.0_22 (hand-installed from Oracle/Sun)

I found the following by running your find command in /usr/lib

X /usr/lib/vlc/plugins/codec/libdmo_plugin.so
X /usr/lib/vlc/plugins/codec/librealvideo_plugin.so
X /usr/lib/libmono.so.0.0.0
X /usr/lib/libstdc++-libc6.2-2.so.3
X /usr/lib/libmono.so.0
X /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so
X /usr/lib/libmono.so

The VLC plugins are provided by vlc-core-1.1.4-4.fc14.i686, which is installed. However, there doesn't seem to be a plugin relating to vlc in /usr/lib/mozilla.

The Mono library doesn't surprise me. I have notes about Mono and SELinux dating from August 2008. I've pretty much given up trying to run Mono or mod_mono on any system using SELinux.

The libstdc++ surprises me. Could that be the source of the problem?

find /usr/lib -name \*.so\* -exec execstack -q {} \; -print | grep ^X
X /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so
execstack: "/usr/lib/.libfipscheck.so.1.hmac" is not an ELF file
execstack: "/usr/lib/.libfipscheck.so.1.1.0.hmac" is not an ELF file
execstack: cannot open "/usr/lib/mozilla/plugins-wrapped/libnpjp2.so": No such file or directory
X /usr/lib/vlc/plugins/codec/librealvideo_plugin.so
X /usr/lib/vlc/plugins/codec/libdmo_plugin.so
execstack: "/usr/lib/.libssl.so.10.hmac" is not an ELF file
execstack: "/usr/lib/.libssl.so.1.0.0a.hmac" is not an ELF file
X /usr/lib/libstdc++-libc6.2-2.so.3

-Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03)

-jre1.6.0_22 (hand-installed from Oracle/Sun)

 My SELinux alerts started when I've created symlink as follows;
ln -s  /opt/jre1.6.0_22/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so  -but the plugin was never really installed/added (tested on www.java.com)

-Creating symlink as user in /home/.mozilla/plugins produces the same alerts

-I've removed the symlink and now right click in Firefox doesn't work and I can't see tooltips on some websites when hovering mouse pointer over hyperlink

-I've tried to download the jre1.6.0_22 again but simple click on the hyperlink for download produces new AVC denial

-I did everything the same with Google Chrome and everything just works

If you clear the execstack flag  does it work?

execstack -c /usr/lib/libstdc++-libc6.2-2.so.3

I'm seeing the same problem.  On my system, the java and flash plugins are not marked as to whether they require execstack:

execstack -q /usr/lib/jvm/java-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so 

? /usr/lib/jvm/java-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so

Garrett, libjavaplugin_oji.so should not be used with Firefox 3.6, that worked with older versions of Firefox, now you should use libnpjp2.so, as recommended by Sun/Oracle.

Clearing execstack does not work. To make few things clear, I'm on 32 bit system, Fedora 14, with all updates as of this moment. I had more than 60 denials, which was: SELinux is preventing /usr/lib/firefox-3.6/firefox from making the program stack executable. Only one was about /nspluginwrapper/plugin-config


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        plugin-config
Source Path                   /usr/lib/nspluginwrapper/plugin-config
Port                          <Unknown>
Host                          Freedom
Source RPM Packages           firefox-3.6.12-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     Freedom
Platform                      Linux Freedom 2.6.35.6-48.fc14.i686 #1 SMP Fri Oct
                              22 15:34:36 UTC 2010 i686 i686
Alert Count                   63
First Seen                    Wed 03 Nov 2010 01:54:05 AM CET
Last Seen                     Fri 05 Nov 2010 03:05:01 AM CET
Local ID                      7a1009d9-26ef-4785-86ff-1f9fb74c0721
Line Numbers                  

Raw Audit Messages            

node=Freedom type=AVC msg=audit(1288922701.388:32): avc:  denied  { execstack } for  pid=2342 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=Freedom type=SYSCALL msg=audit(1288922701.388:32): arch=40000003 syscall=125 success=no exit=-13 a0=bfda5000 a1=1000 a2=1000007 a3=bfd9e3b4 items=0 ppid=2313 pid=2342 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

- It is obvious that something in the policy needs to be fixed

Right, sorry, wrong file, but it has the same problem:

[root@grograman]# execstack -q /usr/lib/mozilla/plugins/*
- /usr/lib/mozilla/plugins/libflashplayer.so
? /usr/lib/mozilla/plugins/libnpjp2.so
- /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
- /usr/lib/mozilla/plugins/libtotem-gmp-plugin.so
- /usr/lib/mozilla/plugins/libtotem-mully-plugin.so
- /usr/lib/mozilla/plugins/libtotem-narrowspace-plugin.so
- /usr/lib/mozilla/plugins/nppdf.so

so libnpj2.so has the same setting.

At the moment, I'm running with the execscack check turned off:

setsebool -P allow_execstack 1

which isn't as secure but at least everything works.

Looks like you are either going to need to label firefox as execmem_exec_t or run with the execstack check turned off for unconfined processes.

I think the problem is plugins like java starting to be executed within firefox.

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

I too am getting the same errors on a fresh install of F14 and the Oracle/Sun java.


Summary:

SELinux is preventing /usr/lib/firefox-3.6/firefox from making the program stack
executable.

Detailed Description:

The firefox application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to
run correctly, you can change the context of the executable to execmem_exec_t.
"chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox'" You must also change
the default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/lib/firefox-3.6/firefox'"

Fix Command:

chcon -t execmem_exec_t '/usr/lib/firefox-3.6/firefox'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        plugin-config
Source Path                   /usr/lib/nspluginwrapper/plugin-config
Port                          <Unknown>
Host                          tower10.home
Source RPM Packages           firefox-3.6.12-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     tower10.home
Platform                      Linux tower10.home 2.6.35.6-48.fc14.i686 #1 SMP
                              Fri Oct 22 15:34:36 UTC 2010 i686 i686
Alert Count                   35
First Seen                    Mon 08 Nov 2010 01:42:12 PM CST
Last Seen                     Mon 08 Nov 2010 08:44:43 PM CST
Local ID                      a9ef1964-274a-4637-9f80-bb8872566f15
Line Numbers                  

Raw Audit Messages            

node=tower10.home type=AVC msg=audit(1289270683.246:39981): avc:  denied  { execstack } for  pid=10801 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=tower10.home type=SYSCALL msg=audit(1289270683.246:39981): arch=40000003 syscall=125 success=no exit=-13 a0=bfbd1000 a1=1000 a2=1000007 a3=bfbca8d4 items=0 ppid=10782 pid=10801 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


I have done a fresh install from the DVD, then a complete yum update. Installed the Oracle/Sun java, and get the SELinux messages.

I wish I could run without the Oracle/Sun java, but there are quite a few things that I need that don't work properly without it.

#setsebool -P allow_execstack 1


Will stop the check, or you could execute 

The chcon command specified in the alert.

*** Bug 597617 has been marked as a duplicate of this bug. ***

Hello,

I am seeing this bug for the first time today. I managed to hose my system this morning and did a complete fresh install of F14, followed by all the updates (the original system was F14 as well). After installing the nspluginwrapper, every time I start firefox, I get an SELinux AVC error stating that it is preventing /usr/lib64/nspluginwrapper/plugin-config from making the program stack executable. I have had the program stack executable problem previously with the java plugin for firefox and the adobe reader (for which I had , but not with the nspluginwrapper itself.

I notice that both the SELinux policy and the nspluginwrapper packages were updated quite recently:

nspluginwrapper 1.3.0-15.fc14 x86_64:

FEDORA-2010-17812

       Release : Fedora 14
          Type : bugfix
        Status : stable
        Issued : 2010-11-16 22:09:28
   Description : fixes cooperation with spice-xpi package.

Both selinux-policy and selinux-policy-targeted are 3.9.7-12.fc14:

FEDORA-2010-17968

       Release : Fedora 14
          Type : bugfix
        Status : stable
        Issued : 2010-11-19 21:55:12

Any help you can give me is appreciated. All google searches on this subject come up with older versions and other unrelated issues.

Thanks,

Erik

Simplest thing is to execute

#setsebool -P allow_execstack 1

Are you running the java plugin from oracle?

Hi Daniel,

Yes, I am using the java plugin from oracle. I have had to separately enable stack execution for the plugin as follows:

sudo chcon -t execmem_exec_t /usr/lib64/firefox-3.6/firefox

If I reset to the current SELinux policy for firefox, I get a separate AVC denail for firefox:

SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program
stack executable.

The problem I am reporting about here is specific to the nspluginwrapper. I was not getting any AVC denials for nspluginwrapper until I rebuilt my system on Saturday. Please note that prior to the rebuild I was most likely running with the previous versions of the wrapper and SELinux policy from what I listed above in my initial report.

Hope this information helps.

Many thanks for your reply and assistance,

Erik

Sorry guys I am a nubi, just installed a program called easylife. It download all the free and non free apps tho make fedura linux 14 user friendly and work with many different programs. After the install I keep getting this working. Is it a virus or is this normal. My biggest problem before I installed it was that I could not get the codes I needed to make flash work correctly. Now except for this problem everything works like a charm

Did you turn off the check using allow_execstack

setsebool -P allow_execstack 1

(In reply to comment #52)
> Did you turn off the check using allow_execstack
> 
> setsebool -P allow_execstack 1

Thanks Dan for the advise, it works fine now. I only hope that execstack are not tha major "security problem"

Well it allows an unconfined app to be more unconfined :^).  You have loosened the security a little over the default but not as much as if you had disabled SELinux altogether.  The problem is oracle/sun have decided to run java engine within the same process as firefox.  Since java requires execmem/execstack to run, we end up having to turn the permission off for either just firefox or for the entire user session.  This boolean does not effect any confined processes on your system.

(In reply to comment #54)
> ...not as much as if you had disabled SELinux altogether. 

I couldn't have say more

(In reply to comment #54)
The problem is oracle/sun have decided to run java engine
> within the same process as firefox.  Since java requires execmem/execstack to
> run, we end up having to turn the permission off for either just firefox or for
> the entire user session.  This boolean does not effect any confined processes
> on your system.
Anyway I hope that Oracle will find a solution to help to improve the system security.


But more, thanks for your reactivity and for your job

This bug has followed me from two versions of Fedora r13/r14 - it did not happen with the standard firefox load even after hours of use; but happened quite soon after installing some extensions / addons.

When it happens, it corrupts my video memory, causing the entire screen to become scrambled; I originally thought it was corrupting the heap; but the selinux report seems to suggest that it is trying to execute code on the stack (could still be a heap/stack over/under-run issue).

Here are the extensions/addons I have loaded.

Dom Inspector
FireBug
FireDownload
FlagFox
FoxyProxy
Personas
Tamper Data
World IP

My current suspect is Dom Inspector, as many of the extensions were running for quite a while before Dom Inspector was installed; and now I have disabled it to give FF a while to see if it will crash again corrupting my video driver...

You could look for the bad libraries using the 

find /usr/lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X
find /lib64 -name \*.so\* -exec execstack -q {} \; -print | grep ^X