Summary: SELinux is preventing /usr/lib/firefox-3.6/firefox from loading /home/.../.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so which requires text relocation. Detailed Description: The firefox application attempted to load /home/...i/.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /home/../.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Allowing Access: If you trust /home/...i/.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/home/.../.mozilla/firefox/v......default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/home/.../.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so'" Fix Command: chcon -t textrel_shlib_t '/home/.../.mozilla/firefox/v.....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:mozilla_home_t:s0 Target Objects /home/.../.mozilla/firefox/v....default/ext ensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/pla tform/Linux_x86-gcc3/components/WeaveCrypto.so [ file ] Source firefox Source Path /usr/lib/firefox-3.6/firefox Port <Unknown> Host (removed) Source RPM Packages firefox-3.6.3-4.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execmod Host Name (removed) Platform Linux (removed) 2.6.33.2-41.fc13.i686 #1 SMP Mon Apr 12 14:45:33 UTC 2010 i686 i686 Alert Count 1 First Seen Tue 04 May 2010 05:50:22 AM CEST Last Seen Tue 04 May 2010 05:50:22 AM CEST Local ID 3c33691b-580f-41f5-bcad-ad7e132ff0e8 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1272945022.379:19124): avc: denied { execmod } for pid=2151 comm="firefox" path="/home/.../.mozilla/firefox/v.....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so" dev=dm-1 ino=523752 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1272945022.379:19124): arch=40000003 syscall=125 success=no exit=-13 a0=3e28000 a1=8000 a2=5 a3=bfe7b130 items=0 ppid=2137 pid=2151 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from allow_execmod,firefox,unconfined_t,mozilla_home_t,file,execmod audit2allow suggests: #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execmod' allow unconfined_t mozilla_home_t:file execmod;
Alert tells you what you can do. Or you can turn off the protection by executing setsebool -P allow_execmod 1
What is the solution to resolve this problem?
Turn off the check, # setsebool -P allow_execmod 1
I'm removing offending FireDownload extension (add-on)
(In reply to comment #3) > Turn off the check, > > # setsebool -P allow_execmod 1 Sorry,I've turned off the check,but firefox sync still encountered error as it used to be.
Please attach the latest avc message.
After reinstall sync ,it works well.AVC never alert me.
Just a note, the fix command in the AVC message was useless for me. However the 'setsebool -P allow_execmod 1' command does work for me. Maybe the message reported by AVC is a bug?
Darren, can you attach the latest AVC messages? getsebool allow_execmod ausearch -m avc -ts recent
I just installed Firefox Sync this morning on a fairly fresh install of F13, and was somewhat surprised to see Firefox Sync perform a full sync without any issues. Here's the details of my installation: [jwc@siskel files]$ uname -a Linux siskel.at-the-movies 2.6.33.5-124.fc13.i686 #1 SMP Fri Jun 11 09:48:40 UTC 2010 i686 i686 i386 GNU/Linux Firefox Sync version 1.3.1 on Firefox 3.6.4. [jwc@siskel files]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted $ yum info selinux-policy: [snip] Name : selinux-policy Arch : noarch Version : 3.7.19 Release : 28.fc13 Let me know if you need any further info, but this issue appears to be fully resolved w/o any further action required.
Strangely, after getting an initial loading of bookmarks and passwords, I started getting the SE Linux error that others are getting.
See this Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=508118
It seems to be fixed upstream, but in 3.7 alpha branch : could it be possible to backport the fix in the fedora current version (3.6) ? Or will fedora update to the 3.7 branch once it's stable ?
I've reported this to upstream Firefox, just to be sure. https://bugzilla.mozilla.org/show_bug.cgi?id=578347
Mozilla will not be fixing this bug for the 3.5/3.6 series, but someone from their team claims it will be fixed in the 4.0 betas / final. See https://bugzilla.mozilla.org/show_bug.cgi?id=578347#c4 for more info.
*** Bug 665559 has been marked as a duplicate of this bug. ***