Description of problem: SELinux is preventing firefox from making its memory writable and executable. I'm running selinux is permissive mode, but for those who use 'strict mode' firefox can't be launched. Version-Release number of selected component (if applicable): libselinux-2.0.96-2.fc14.i686 libselinux-python-2.0.96-2.fc14.i686 libselinux-utils-2.0.96-2.fc14.i686 selinux-policy-3.8.5-1.fc14.noarch selinux-policy-targeted-3.8.5-1.fc14.noarch How reproducible: Always Steps to Reproduce: 1. Click on firefox icon or launch firefox from terminal 2. 3. Actual results: SELinux show an alert. Expected results: SELinux doesn't show an alert. Additional info: Summary: SELinux is preventing firefox from making its memory writable and executable. Detailed Description: [SELinux is in permissive mode. This access was not denied.] The firefox application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Firefox is probably not the problem here ,but one of its plugins. You could remove the plugin and the app would no longer require the access. If you figure out which plugin is causing the access request, please open a bug report on the plugin. Allowing Access: There are two ways to fix this problem, you can install the nsspluginwrapper package, which will cause firefox to run its plugins under a separate process. This process will allow the execmem access. This is the safest choice. You could also turn off the allow_unconfined_nsplugin_transition boolean. setsebool -P allow_unconfined_nsplugin_transition=0 Fix Command: yum install nspluginwrapper Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source firefox Source Path /usr/lib/firefox-3.6/firefox Port <Unknown> Host (removed) Source RPM Packages firefox-3.6.4-2.fc14 Target RPM Packages Policy RPM selinux-policy-3.8.5-1.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name firefox Host Name (removed) Platform Linux (removed) 2.6.35-0.2.rc3.git0.fc14.i686 #1 SMP Wed Jun 23 00:02:17 UTC 2010 i686 i686 Alert Count 2 First Seen Sun 27 Jun 2010 10:06:33 AM CET Last Seen Sun 27 Jun 2010 10:06:33 AM CET Local ID 73019537-da1c-4609-b4ac-40396d23b7a9 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277629593.395:17270): avc: denied { execmem } for pid=1967 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=(removed) type=SYSCALL msg=audit(1277629593.395:17270): arch=40000003 syscall=192 success=yes exit=115331072 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=1950 pid=1967 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
i meant with 'strict mode' -> 'enforcing mode'
ls -lZ /usr/lib/firefox-3.6/firefox
ls -lZ /usr/lib/firefox-3.6/firefox -rwxr-xr-x. root root system_u:object_r:mozilla_exec_t:s0 /usr/lib/firefox-3.6/firefox
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
*** This bug has been marked as a duplicate of bug 597858 ***