Description of problem: On a system with allow_execmem disabled, firefox will not start. No error message appears if started in a terminal window, but several AVC:s about execmem denials are reported Version-Release number of selected component (if applicable): firefox-7.0.1-1.fc16.x86_64 selinux-policy-targeted-3.10.0-38.fc16.noarch How reproducible: Every time Steps to Reproduce: 1. Start firefox Actual results: Nothing comes up. Expected results: A firefox window should appear. Additional info: This is an F16 version of bug 714425. Doing chcon -t execmem_exec_t /usr/lib64/firefox/firefox is a possible workaround. (But firefox has a special mozilla_exec_t type initially, so maybe this isn't the right solution to implement in the policy.) Asking ausearch immediately afterwards, there is a total of 12 AVC denials. They look the same, so I only include the first: time->Tue Oct 11 12:19:43 2011 type=SYSCALL msg=audit(1318328383.755:12731): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=27207 pid=30887 auid=503 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts4 ses=19 63 comm="firefox" exe="/usr/lib64/firefox/firefox" subj=unconfined_u:unconfined_ r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318328383.755:12731): avc: denied { execmem } for pid=308 87 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
This is why these checks are becoming useless. As more an more domains need execmem for script execution.
I'm going to close this bug report as a dupe of 752087 *** This bug has been marked as a duplicate of bug 752087 ***