Bug 608889 - SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program stack executable.
SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program ...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
14
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:bf2e1619856...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-28 16:22 EDT by Kurt Driver
Modified: 2011-04-18 14:04 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-22 12:04:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Driver 2010-06-28 16:22:05 EDT
Summary:

SELinux is preventing /usr/lib64/firefox-3.6/firefox from making the program
stack executable.

Detailed Description:

The firefox application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If firefox does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust firefox to
run correctly, you can change the context of the executable to execmem_exec_t.
"chcon -t execmem_exec_t '/usr/lib64/firefox-3.6/firefox'" You must also change
the default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/lib64/firefox-3.6/firefox'"

Fix Command:

chcon -t execmem_exec_t '/usr/lib64/firefox-3.6/firefox'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        ld-linux.so.2
Source Path                   /lib/ld-2.12.90.so
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           firefox-3.6.4-2.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.5-1.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     (removed)
Platform                      Linux (removed) 2.6.34-14.fc14.x86_64 #1 SMP Mon May
                              31 14:27:09 UTC 2010 x86_64 x86_64
Alert Count                   79
First Seen                    Mon 14 Jun 2010 02:28:45 PM PDT
Last Seen                     Mon 28 Jun 2010 01:20:04 PM PDT
Local ID                      03107ffb-a1d3-4c8b-b7c1-faf7803b26fc
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277756404.66:46361): avc:  denied  { execstack } for  pid=1553 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1277756404.66:46361): arch=c000003e syscall=10 success=no exit=-13 a0=7fff58e06000 a1=1000 a2=1000007 a3=3971c1b574 items=0 ppid=1535 pid=1553 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib64/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execstack,ld-linux.so.2,unconfined_t,unconfined_t,process,execstack
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;
Comment 1 Bug Zapper 2010-07-30 08:17:02 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Nicholas Kudriavtsev 2010-11-20 06:20:42 EST
Seems it happens when Firefox initializes Sun Java plugin.
Comment 3 Daniel Walsh 2010-11-22 12:04:39 EST
If you are using this plugin, turn off the check.

# setsebool -P allow_execstack 1
Comment 4 Bruce-Robert Pocock 2010-11-22 12:13:45 EST
I'm sure there's someplace I could RTFM, but perhaps someone could point me in the proper direction, here…

 * Is there a clear way to determine which plugin is responsible for this?

 * Is there a way to disable this check for a particular plugin only, e.g. keeping Firefox itself and other plugins constrained properly?
Comment 5 Nicholas Kudriavtsev 2010-11-22 12:42:51 EST
(In reply to comment #4)
>  * Is there a clear way to determine which plugin is responsible for this?
Remove plugin library or link to plugin library from /usr/lib64/mozilla/plugins, then check out the configuration.

However there was no such error in Fedora 13... Also Chrome does not produce the selinux warning with Sun Java plugin.
Comment 6 Daniel Walsh 2010-11-22 13:15:12 EST
If you are using the java plugin from oracle, this could happen also.
Comment 7 Raivo Kask 2010-11-22 15:46:07 EST
I use Bibble 5 Pro (http://bibblelabs.com/products/bibble5/) and receive following:

Summary:

SELinux is preventing /lib/ld-2.12.90.so from making the program stack
executable.

Detailed Description:

The ld-linux.so.2 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. If ld-linux.so.2 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
ld-linux.so.2 to run correctly, you can change the context of the executable to
execmem_exec_t. "chcon -t execmem_exec_t '/lib/ld-2.12.90.so'" You must also
change the default file context files on the system in order to preserve them
even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/lib/ld-2.12.90.so'"

Fix Command:

chcon -t execmem_exec_t '/lib/ld-2.12.90.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        ld-linux.so.2
Source Path                   /lib/ld-2.12.90.so
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-2.12.90-19
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-12.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     (removed)
Platform                      Linux zkab 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct
                              22 15:36:08 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Mon 22 Nov 2010 09:18:22 PM CET
Last Seen                     Mon 22 Nov 2010 09:33:50 PM CET
Local ID                      3cfb3e61-0751-4546-a12c-13d51d575320
Line Numbers                  

Raw Audit Messages            

node=zkab type=AVC msg=audit(1290458030.534:120): avc:  denied  { execstack } for  pid=16052 comm="ld-linux.so.2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=zkab type=SYSCALL msg=audit(1290458030.534:120): arch=40000003 syscall=125 success=no exit=-13 a0=ffecc000 a1=1000 a2=1000007 a3=ffecc874 items=0 ppid=16051 pid=16052 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="ld-linux.so.2" exe="/lib/ld-2.12.90.so" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 8 Daniel Walsh 2010-11-22 17:31:31 EST
You could look for libraries that are marked as requiring execstack

# find /lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X 
# find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X 

or

# find /lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X 
# find /usr/lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X
Comment 9 Raivo Kask 2010-11-23 05:30:43 EST
The commands gave no output
Comment 10 Daniel Walsh 2010-11-23 09:40:53 EST
Well then you either need to change the label of firefox or turn off the check.
Comment 11 Raivo Kask 2010-11-23 10:49:34 EST
OK - I will turn off the check
Comment 12 James Hobbs 2010-12-07 16:24:59 EST
Have also submitted same bug but wanted to note it happens when I start Bibble 5 pro as reported above by Raivo

Note You need to log in before you can comment on or make changes to this bug.