Summary: SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program stack executable. Detailed Description: The firefox application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/lib64/firefox-3.6/firefox'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/lib64/firefox-3.6/firefox'" Fix Command: chcon -t execmem_exec_t '/usr/lib64/firefox-3.6/firefox' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source ld-linux.so.2 Source Path /lib/ld-2.12.90.so Port <Unknown> Host (removed) Source RPM Packages firefox-3.6.4-2.fc14 Target RPM Packages Policy RPM selinux-policy-3.8.5-1.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execstack Host Name (removed) Platform Linux (removed) 2.6.34-14.fc14.x86_64 #1 SMP Mon May 31 14:27:09 UTC 2010 x86_64 x86_64 Alert Count 79 First Seen Mon 14 Jun 2010 02:28:45 PM PDT Last Seen Mon 28 Jun 2010 01:20:04 PM PDT Local ID 03107ffb-a1d3-4c8b-b7c1-faf7803b26fc Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277756404.66:46361): avc: denied { execstack } for pid=1553 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=(removed) type=SYSCALL msg=audit(1277756404.66:46361): arch=c000003e syscall=10 success=no exit=-13 a0=7fff58e06000 a1=1000 a2=1000007 a3=3971c1b574 items=0 ppid=1535 pid=1553 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib64/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from allow_execstack,ld-linux.so.2,unconfined_t,unconfined_t,process,execstack audit2allow suggests: #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execstack' allow unconfined_t self:process execstack;
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Seems it happens when Firefox initializes Sun Java plugin.
If you are using this plugin, turn off the check. # setsebool -P allow_execstack 1
I'm sure there's someplace I could RTFM, but perhaps someone could point me in the proper direction, here… * Is there a clear way to determine which plugin is responsible for this? * Is there a way to disable this check for a particular plugin only, e.g. keeping Firefox itself and other plugins constrained properly?
(In reply to comment #4) > * Is there a clear way to determine which plugin is responsible for this? Remove plugin library or link to plugin library from /usr/lib64/mozilla/plugins, then check out the configuration. However there was no such error in Fedora 13... Also Chrome does not produce the selinux warning with Sun Java plugin.
If you are using the java plugin from oracle, this could happen also.
I use Bibble 5 Pro (http://bibblelabs.com/products/bibble5/) and receive following: Summary: SELinux is preventing /lib/ld-2.12.90.so from making the program stack executable. Detailed Description: The ld-linux.so.2 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to remove this requirement. If ld-linux.so.2 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust ld-linux.so.2 to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/lib/ld-2.12.90.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/lib/ld-2.12.90.so'" Fix Command: chcon -t execmem_exec_t '/lib/ld-2.12.90.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source ld-linux.so.2 Source Path /lib/ld-2.12.90.so Port <Unknown> Host (removed) Source RPM Packages glibc-2.12.90-19 Target RPM Packages Policy RPM selinux-policy-3.9.7-12.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execstack Host Name (removed) Platform Linux zkab 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Mon 22 Nov 2010 09:18:22 PM CET Last Seen Mon 22 Nov 2010 09:33:50 PM CET Local ID 3cfb3e61-0751-4546-a12c-13d51d575320 Line Numbers Raw Audit Messages node=zkab type=AVC msg=audit(1290458030.534:120): avc: denied { execstack } for pid=16052 comm="ld-linux.so.2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=zkab type=SYSCALL msg=audit(1290458030.534:120): arch=40000003 syscall=125 success=no exit=-13 a0=ffecc000 a1=1000 a2=1000007 a3=ffecc874 items=0 ppid=16051 pid=16052 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="ld-linux.so.2" exe="/lib/ld-2.12.90.so" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
You could look for libraries that are marked as requiring execstack # find /lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X # find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X or # find /lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X # find /usr/lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X
The commands gave no output
Well then you either need to change the label of firefox or turn off the check.
OK - I will turn off the check
Have also submitted same bug but wanted to note it happens when I start Bibble 5 pro as reported above by Raivo