Bug 632523 - firefox segfaults when executed in sandbox without proper selinux context
firefox segfaults when executed in sandbox without proper selinux context
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: firefox (Show other bugs)
6.0
All Linux
low Severity low
: rc
: ---
Assigned To: Martin Stransky
Karel Srot
: SELinux, Triaged
Depends On: 629274
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-10 04:47 EDT by Karel Srot
Modified: 2014-01-16 08:47 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-16 08:47:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
abrt crash info (20.56 KB, text/plain)
2010-09-10 04:47 EDT, Karel Srot
no flags Details
backtrace from F14 (32.97 KB, text/plain)
2010-09-13 15:24 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Karel Srot 2010-09-10 04:47:15 EDT
Created attachment 446461 [details]
abrt crash info

Description of problem:
I know this is a bit obscure situation,...

firefox segfaults when executed in sandbox without proper selinux context.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. yum install policycoreutils-sandbox
2. sandbox -X /usr/lib64/firefox-3.6/firefox

  
Actual results:
$ sandbox -X /usr/lib64/firefox-3.6/firefox
/home/ksrot/.sandboxrc: line 6:  7505 Segmentation fault      (core dumped) dbus-launch --exit-with-session /usr/lib64/firefox-3.6/firefox
Hangup


Expected results:
graceful exit?

Additional info:
see attached file
Comment 1 Matěj Cepl 2010-09-13 12:57:09 EDT
Thank you for taking the time to report this bug report. Unfortunately, that stack trace is not very useful in determining the cause of the crash, because there are no debugging symbols loaded (probably abrt failed to load them).

Unfortunately, we cannot use this backtrace.

Unless SELinux guys will see something they should do, closing as INSUFFICIENT_DATA.
Comment 2 Eric Paris 2010-09-13 13:34:59 EDT
I can reproduce it as well.  It's not an selinux policy bug if firefox segfaults.  I'm not sure how to collect the core though....
Comment 3 Daniel Walsh 2010-09-13 14:39:46 EDT
It most likely is happening when firefox attempts to connect to the network.  Since this is the biggest difference between sandbox_web_t and sandbox_t.

If you run sandbox -X firefox it is launched as sandbox_t and has NO network access, all connect calls will get permission denied.
Comment 4 Matěj Cepl 2010-09-13 15:15:38 EDT
(In reply to comment #3)
> It most likely is happening when firefox attempts to connect to the network. 
> Since this is the biggest difference between sandbox_web_t and sandbox_t.
> 
> If you run sandbox -X firefox it is launched as sandbox_t and has NO network
> access, all connect calls will get permission denied.

This is what we are talking about, right?


Souhrn:

SELinux is preventing /usr/bin/setarch "module_request" access on <Unknown>.

Podrobný popis:

[linux32 je v toleratním režimu (sandbox_x_client_t). Přístup byl povolen.]

SELinux denied access requested by linux32. The current boolean settings do not
allow this access. If you have not setup linux32 to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Povolení přístupu:

Confined processes can be configured to run requiring different access, SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
domain_kernel_load_modules is set incorrectly.
Boolean Description:
Allow all domains to have the kernel load modules


Příkaz pro opravu:

# setsebool -P domain_kernel_load_modules 1

Další informace:

Kontext zdroje                unconfined_u:unconfined_r:sandbox_x_client_t:s0:c8
                              66,c883
Kontext cíle                  system_u:system_r:kernel_t:s0
Objekty cíle                  None [ system ]
Zdroj                         linux32
Cesta zdroje                  /usr/bin/setarch
Port                          <Neznámé>
Počítač                       jakoubek.ceplovi.cz
RPM balíčky zdroje            util-linux-ng-2.18-4.fc14
RPM balíčky cíle              
RPM politiky                  selinux-policy-3.9.3-1.fc14
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim              Enforcing
Název zásuvného modulu        catchall_boolean
Název počítače                jakoubek.ceplovi.cz
Platforma                     Linux jakoubek.ceplovi.cz 2.6.35.4-12.fc14.x86_64
                              #1 SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64
Počet upozornění              10
Poprvé viděno                 Po 13. září 2010, 21:14:07 CEST
Naposledy viděno              Po 13. září 2010, 21:14:09 CEST
Místní ID                     ffd34321-0cb7-45e8-ab08-2e0b23ad8853
Čísla řádků                   

Původní zprávy auditu         

node=jakoubek.ceplovi.cz type=AVC msg=audit(1284405249.703:345): avc:  denied  { module_request } for  pid=32403 comm="linux32" kmod="personality-8" scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c866,c883 tcontext=system_u:system_r:kernel_t:s0 tclass=system

node=jakoubek.ceplovi.cz type=SYSCALL msg=audit(1284405249.703:345): arch=c000003e syscall=135 per=8 success=yes exit=0 a0=8 a1=2 a2=0 a3=0 items=0 ppid=32402 pid=32403 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="linux32" exe="/usr/bin/setarch" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c866,c883 key=(null)
Comment 5 Matěj Cepl 2010-09-13 15:24:09 EDT
Created attachment 447021 [details]
backtrace from F14

Managed to generate a backtrace on F14.
Comment 6 RHEL Product and Program Management 2011-01-07 10:40:07 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 7 RHEL Product and Program Management 2011-02-01 00:46:19 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 8 RHEL Product and Program Management 2011-02-01 13:40:12 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 12 Suzanne Yeghiayan 2011-10-06 14:39:57 EDT
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.
               
Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 13 Martin Stransky 2014-01-16 08:47:08 EST
We're not going to fix this issue, the fix would be rather intrusive and Firefox has to shutdown anyway. This is a null-pointer crash which is relatively safe.

Note You need to log in before you can comment on or make changes to this bug.