firefox on rawhide and selinux

Daniel J Walsh dwalsh at redhat.com
Mon Jun 8 21:17:22 UTC 2009


On 06/08/2009 04:21 PM, Antonio Olivares wrote:
>
>
> Summary:
>
> SELinux is preventing firefox from changing a writable memory segment
> executable.
>
> Detailed Description:
>
> The firefox application attempted to change the access protection of memory
> (e.g., allocated using malloc). This is a potential security problem.
> Applications should not be doing this. Applications are sometimes coded
> incorrectly and request this permission. The SELinux Memory Protection Tests
> (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
> remove this requirement. If firefox does not work and you need it to work, you
> can configure SELinux temporarily to allow this access until the application is
> fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>
> Allowing Access:
>
> If you trust firefox to run correctly, you can change the context of the
> executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.5b4/firefox'". You must also change the default file context
> files on the system in order to preserve them even on a full relabel. "semanage
> fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox'"
>
> Fix Command:
>
> chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox'
>
> Additional Information:
>
> Source Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                                SystemHigh
> Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                                SystemHigh
> Target Objects                None [ process ]
> Source                        firefox
> Source Path                   /usr/lib/firefox-3.5b4/firefox
> Port<Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           firefox-3.5-0.21.beta4.fc12
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.13-2.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execmem
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
>                                2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3
>                                09:55:34 EDT 2009 i686 i686
> Alert Count                   8
> First Seen                    Mon 08 Jun 2009 12:27:54 PM CDT
> Last Seen                     Mon 08 Jun 2009 12:28:08 PM CDT
> Local ID                      0e0d62f4-09db-4ddf-987c-8210c45b9e70
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1244482088.874:27316): avc:  denied  { execmem } for  pid=2566 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>
> node=localhost.localdomain type=SYSCALL msg=audit(1244482088.874:27316): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Thanks,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Are you using flashplugin?  Not sure which app is causing the execmem.
Do you have nspluginwrapper installed?




More information about the fedora-selinux-list mailing list