Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 588606 - SELinux is preventing /usr/lib/firefox-3.6/firefox from loading /home/.../.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so which requires text relocation.
Summary: SELinux is preventing /usr/lib/firefox-3.6/firefox from loading /home/.../.mo...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e6154190bb8...
: 665559 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-04 04:02 UTC by Luca Botti
Modified: 2011-05-30 15:45 UTC (History)
105 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-04 17:29:47 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Luca Botti 2010-05-04 04:02:07 UTC 
Summary:

SELinux is preventing /usr/lib/firefox-3.6/firefox from loading
/home/.../.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so
which requires text relocation.

Detailed Description:

The firefox application attempted to load
/home/...i/.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/home/../.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so
to use relocation as a workaround, until the library is fixed. Please file a bug
report.

Allowing Access:

If you trust
/home/...i/.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so
to run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
'/home/.../.mozilla/firefox/v......default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/home/.../.mozilla/firefox/v....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so'"

Fix Command:

chcon -t textrel_shlib_t
'/home/.../.mozilla/firefox/v.....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:mozilla_home_t:s0
Target Objects                /home/.../.mozilla/firefox/v....default/ext
                              ensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/pla
                              tform/Linux_x86-gcc3/components/WeaveCrypto.so [
                              file ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.6/firefox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           firefox-3.6.3-4.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.2-41.fc13.i686 #1
                              SMP Mon Apr 12 14:45:33 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 04 May 2010 05:50:22 AM CEST
Last Seen                     Tue 04 May 2010 05:50:22 AM CEST
Local ID                      3c33691b-580f-41f5-bcad-ad7e132ff0e8
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1272945022.379:19124): avc:  denied  { execmod } for  pid=2151 comm="firefox" path="/home/.../.mozilla/firefox/v.....default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so" dev=dm-1 ino=523752 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1272945022.379:19124): arch=40000003 syscall=125 success=no exit=-13 a0=3e28000 a1=8000 a2=5 a3=bfe7b130 items=0 ppid=2137 pid=2151 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execmod,firefox,unconfined_t,mozilla_home_t,file,execmod
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_t mozilla_home_t:file execmod;
Comment 1 Daniel Walsh 2010-05-04 17:29:47 UTC 
Alert tells you what you can do.  Or you can turn off the protection by executing

setsebool -P allow_execmod 1
Comment 2 Sylvain Van Hoof 2010-06-01 16:11:23 UTC 
What is the solution to resolve this problem?
Comment 3 Daniel Walsh 2010-06-01 19:27:54 UTC 
Turn off the check,

# setsebool -P allow_execmod 1
Comment 4 don_dietz 2010-06-10 02:20:05 UTC 
I'm removing offending FireDownload extension (add-on)
Comment 5 ire_solas 2010-06-10 15:26:27 UTC 
(In reply to comment #3)
> Turn off the check,
> 
> # setsebool -P allow_execmod 1    

Sorry,I've turned off the check,but firefox sync still encountered error as it used to be.
Comment 6 Daniel Walsh 2010-06-16 15:18:13 UTC 
Please attach the latest avc message.
Comment 7 ire_solas 2010-06-17 14:03:14 UTC 
After reinstall sync ,it works well.AVC never alert me.
Comment 8 Darren LaChausse 2010-06-20 19:29:31 UTC 
Just a note, the fix command in the AVC message was useless for me.  However the 'setsebool -P allow_execmod 1' command does work for me.  Maybe the message reported by AVC is a bug?
Comment 9 Daniel Walsh 2010-06-21 15:34:51 UTC 
Darren, can you attach the latest AVC messages?

getsebool allow_execmod

ausearch -m avc -ts recent
Comment 10 Jim Campbell 2010-06-26 13:28:34 UTC 
I just installed Firefox Sync this morning on a fairly fresh install of F13, and was somewhat surprised to see Firefox Sync perform a full sync without any issues.  Here's the details of my installation:

[jwc@siskel files]$ uname -a
Linux siskel.at-the-movies 2.6.33.5-124.fc13.i686 #1 SMP Fri Jun 11 09:48:40 UTC 2010 i686 i686 i386 GNU/Linux

Firefox Sync version 1.3.1 on Firefox 3.6.4.  

[jwc@siskel files]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

$ yum info selinux-policy:
[snip]
Name       : selinux-policy
Arch       : noarch
Version    : 3.7.19
Release    : 28.fc13

Let me know if you need any further info, but this issue appears to be fully resolved w/o any further action required.
Comment 11 Jim Campbell 2010-06-30 15:06:11 UTC 
Strangely, after getting an initial loading of bookmarks and passwords, I started getting the SE Linux error that others are getting.
Comment 12 Joel James Adamson 2010-07-07 18:22:40 UTC 
See this Mozilla bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=508118
Comment 13 Vincent Panel 2010-07-16 17:52:29 UTC 
It seems to be fixed upstream, but in 3.7 alpha branch : could it be possible to backport the fix in the fedora current version (3.6) ? Or will fedora update to the 3.7 branch once it's stable ?
Comment 14 Jim Campbell 2010-07-26 14:53:44 UTC 
I've reported this to upstream Firefox, just to be sure.

https://bugzilla.mozilla.org/show_bug.cgi?id=578347
Comment 15 Jim Campbell 2010-08-10 18:49:42 UTC 
Mozilla will not be fixing this bug for the 3.5/3.6 series, but someone from their team claims it will be fixed in the 4.0 betas / final.   

See https://bugzilla.mozilla.org/show_bug.cgi?id=578347#c4 for more info.
Comment 16 Jerry Amundson 2011-05-30 15:45:59 UTC 
*** Bug 665559 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.