SELinux and NSS [was: Problem with NSS update - Firefox, Evolution]
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 1 02:44:56 UTC 2006
Jonathan Berry wrote:
> On 1/28/06, Jonathan Berry <berryja at gmail.com> wrote:
>
>> On 1/28/06, Jonathan Berry <berryja at gmail.com> wrote:
>>
setsebool -P allow_execmem=1
>>> Hi all,
>>>
>>> I just installed FC5T2 x86_64 to test it out. Install went smoothly
>>> and I just finished up all the updates. I seem to be having an issue
>>> with the NSS update:
>>> # grep -i nss /var/log/yum.log
>>> Jan 28 00:06:03 Updated: nss.x86_64 3.11-3
>>> Jan 28 00:07:25 Updated: nss.i386 3.11-3
>>> Jan 28 00:20:14 Updated: nss_ldap.i386 248-1
>>> Jan 28 00:20:18 Updated: nss_ldap.x86_64 248-1
>>>
>>> I have seen two symptoms of some problem thus far in Firefox and
>>> Evolution. Firefox starts with a warning that it could not initialize
>>> the security component (something to that effect) and gives some
>>> statement that it could be a file permissions problem in the profile
>>> directory. Perms look to be okay in ~/.mozilla/firefox/ and I get no
>>> SELinux or other messages. Evolution flat refuses to run. The
>>> problem is more apparent from the command line:
>>> $ evolution
>>> (evolution:3437): evolution-smime-WARNING **: Failed all methods for
>>> initializing NSS
>>> (evolution:3437): camel-WARNING **: Failed to initialize NSS
>>>
>>> Any ideas? Time for a bugzilla entry? (probably after I sleep some...)
>>>
>> More information...
>>
>> I just tried reinstalling the original nss pacakges and I am still
>> having issues. Firefox gives the security warning and will not do any
>> ssl stuff (not good!) and evolution will not start.
>> $ rpm -qa nss{,_ldap}
>> nss_ldap-244-2.1.x86_64
>> nss-3.11-2.x86_64
>> nss_ldap-244-2.1.i386
>> nss-3.11-2.i386
>>
>> I've tried rebooting and even booting the original kernel and get the
>> same results. Is anyone else seeing this?
>>
>
> Okay, well, I keep responding to myself...
>
> This now seems to be related to SELinux somehow. If I issue a
> "setenforce 0" command, then Firefox and SSL work just fine, Evolution
> starts, and all is well. With enforcing disabled, when I start
> Firefox or Evolution, I get some "avc: granted { execmem }" messages
> in audit.log relating to the programs. Unfortunately, I do not get
> any failure or otherwise messages in audit.log when SELinux is on.
> FC5T2 x86_64 fully updated as of today.
> $ rpm -qa | grep selinux
> libselinux-devel-1.29.6-1.x86_64
> libselinux-python-1.29.6-1.x86_64
> selinux-policy-2.2.8-1.noarch
> selinux-policy-targeted-2.2.8-1.noarch
> libselinux-1.29.6-1.x86_64
> libselinux-1.29.6-1.i386
>
> Below I will post the AVC messages that I get when starting Evolution
> and Firefox with SELinux off. I do not get any messages with SELinux
> enabled (ie, enforcing). I'll also give the ls -Z output for the NSS
> stuff. Is no one else seeing this? Should I go ahead and bugzilla
> this (now that I can actually access https, heh)?
>
> Jonathan
>
> Lots of info follows.
>
> $ ls -Z `rpm -ql nss`
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libfreebl3.chk
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libfreebl3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libnss3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libnssckbi.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libsmime3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libsoftokn3.chk
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libsoftokn3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib64/libssl3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libfreebl3.chk
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libfreebl3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libnss3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libnssckbi.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libsmime3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libsoftokn3.chk
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libsoftokn3.so
> -rw-r--r-- root root system_u:object_r:lib_t
> /usr/lib/libssl3.so
>
> $ ls -Z `rpm -ql nss_ldap`
> -rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf
> -rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf
> -rwxr-xr-x root root system_u:object_r:lib_t
> /lib64/libnss_ldap-2.3.90.so
> lrwxrwxrwx root root system_u:object_r:lib_t
> /lib64/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so
> -rwxr-xr-x root root system_u:object_r:lib_t
> /lib64/security/pam_ldap.so
> -rwxr-xr-x root root system_u:object_r:lib_t
> /lib/libnss_ldap-2.3.90.so
> lrwxrwxrwx root root system_u:object_r:lib_t
> /lib/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so
> -rwxr-xr-x root root system_u:object_r:lib_t
> /lib/security/pam_ldap.so
> lrwxrwxrwx root root system_u:object_r:lib_t
> /usr/lib64/libnss_ldap.so -> ../../lib64/libnss_ldap.so.2
> lrwxrwxrwx root root system_u:object_r:lib_t
> /usr/lib/libnss_ldap.so -> ../../lib/libnss_ldap.so.2
> [... snip tons more files with perms: -rw-r--r-- root root
> system_u:object_r:usr_t]
>
> I get the following AVC messages when starting Evolution with SELinux off:
> type=AVC msg=audit(1138480597.454:108): avc: granted { execmem } for
> pid=3745 comm="evolution" scontext=user_u:system_r:unco
> nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480597.454:108): arch=c000003e syscall=10
> success=yes exit=0 a0=7fffffce9000 a1=1000 a2=1000007 a3=4
> items=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe=
> "/usr/bin/evolution-2.6"
> type=AVC msg=audit(1138480597.558:109): avc: granted { execmem } for
> pid=3745 comm="evolution" scontext=user_u:system_r:unco
> nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480597.558:109): arch=c000003e syscall=9
> success=yes exit=1073741824 a0=0 a1=a01000 a2=7 a3=62 items
> =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
> bin/evolution-2.6"
> type=AVC msg=audit(1138480597.590:110): avc: granted { execmem } for
> pid=3761 comm="evolution" scontext=user_u:system_r:unco
> nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480597.590:110): arch=c000003e syscall=9
> success=yes exit=1084231680 a0=0 a1=a01000 a2=7 a3=62 items
> =0 pid=3761 auid=4294967295 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
> bin/evolution-2.6"
> type=AVC msg=audit(1138480597.630:111): avc: granted { execmem } for
> pid=3745 comm="evolution" scontext=user_u:system_r:unco
> nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480597.630:111): arch=c000003e syscall=9
> success=yes exit=1094721536 a0=0 a1=a01000 a2=7 a3=62 items
> =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
> bin/evolution-2.6"
> type=AVC msg=audit(1138480598.770:112): avc: granted { execmem } for
> pid=3745 comm="evolution" scontext=user_u:system_r:unco
> nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480598.770:112): arch=c000003e syscall=9
> success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items
> =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
> bin/evolution-2.6"
> type=AVC msg=audit(1138480598.878:113): avc: granted { execmem } for
> pid=3745 comm="evolution" scontext=user_u:system_r:unco
> nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480598.878:113): arch=c000003e syscall=9
> success=yes exit=1115701248 a0=0 a1=a01000 a2=7 a3=62 items
> =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
> bin/evolution-2.6"
>
> I get the following AVC messages when starting Firefox with SELinux off:
> type=AVC msg=audit(1138480668.242:114): avc: granted { execmem } for
> pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480668.242:114): arch=c000003e syscall=10
> success=yes exit=0 a0=7fffffa74000 a1=1000 a2=1000007 a3=4 items=0
> pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 comm="firefox-bin"
> exe="/usr/lib64/firefox-1.5/firefox-bin"
> type=AVC msg=audit(1138480668.242:115): avc: granted { execmem } for
> pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480668.242:115): arch=c000003e syscall=10
> success=yes exit=0 a0=41403000 a1=a00000 a2=7 a3=4 items=0 pid=3802
> auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 comm="firefox-bin"
> exe="/usr/lib64/firefox-1.5/firefox-bin"
> type=AVC msg=audit(1138480668.242:116): avc: granted { execmem } for
> pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480668.242:116): arch=c000003e syscall=10
> success=yes exit=0 a0=40a02000 a1=a00000 a2=7 a3=4 items=0 pid=3802
> auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 comm="firefox-bin"
> exe="/usr/lib64/firefox-1.5/firefox-bin"
> type=AVC msg=audit(1138480668.242:117): avc: granted { execmem } for
> pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480668.242:117): arch=c000003e syscall=10
> success=yes exit=0 a0=40001000 a1=a00000 a2=7 a3=4 items=0 pid=3802
> auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 comm="firefox-bin"
> exe="/usr/lib64/firefox-1.5/firefox-bin"
> type=AVC msg=audit(1138480668.502:118): avc: granted { execmem } for
> pid=3803 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1138480668.502:118): arch=c000003e syscall=9
> success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items=0 pid=3803
> auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 comm="firefox-bin"
> exe="/usr/lib64/firefox-1.5/firefox-bin"
>
>
More information about the fedora-test-list
mailing list