Bug 613422 - SELinux is preventing firefox from making its memory writable and executable.
Summary: SELinux is preventing firefox from making its memory writable and executable.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 13
Hardware: i386 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:3e93a2d9b8a...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-11 13:20 UTC by Hicham HAOUARI
Modified: 2010-07-12 10:44 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-12 10:44:11 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Hicham HAOUARI 2010-07-11 13:20:44 UTC

SELinux is preventing firefox from making its memory writable and executable.

Detailed Description:

The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem. Firefox is
probably not the problem here ,but one of its plugins. You could remove the
plugin and the app would no longer require the access. If you figure out which
plugin is causing the access request, please open a bug report on the plugin.

Allowing Access:

There are two ways to fix this problem, you can install the nsspluginwrapper
package, which will cause firefox to run its plugins under a separate process.
This process will allow the execmem access. This is the safest choice. You could
also turn off the allow_unconfined_nsplugin_transition boolean.
setsebool -P allow_unconfined_nsplugin_transition=0

Fix Command:

yum install nspluginwrapper

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Objects                None [ process ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.6/firefox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           firefox-3.6.4-2.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.6-1.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   firefox
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35-0.31.rc4.git4.fc14.i686 #1 SMP Fri Jul 9
                              01:25:41 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Sun 11 Jul 2010 02:14:19 PM WEST
Last Seen                     Sun 11 Jul 2010 02:19:28 PM WEST
Local ID                      52a829b9-ae43-4417-8125-3d7b444414d9
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1278854368.655:18717): avc:  denied  { execmem } for  pid=2048 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1278854368.655:18717): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=2031 pid=2048 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.6/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  firefox,firefox,unconfined_t,unconfined_t,process,execmem
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_execstack, allow_execstack

allow unconfined_t self:process execmem;

Comment 1 Miroslav Grepl 2010-07-12 10:44:11 UTC
Could you fully update your system.

Note You need to log in before you can comment on or make changes to this bug.