On Sat, 2005-01-08 at 13:41, Tom London wrote:
> Running strict/enforcing, latest Rawhide.
>
> After downloading today's updates, including
> kernel-2.6.10-1.1074_FC4, and rebooting,
> (and before the kernel oops with a kernel
> page fault):
>
> firefox refuses to start in enforcing mode. Here
> are the AVCs:
>
> Jan 8 10:28:01 fedora kernel: audit(1105208881.086:0): avc: denied
> { execmod } for pid=4242 comm=java path=/lib/ld-2.3.4.so dev=hda2
> ino=3178514 scontext=user_u:user_r:user_t
> tcontext=system_u:object_r:ld_so_t tclass=file
> Jan 8 10:28:01 fedora kernel: audit(1105208881.831:0): avc: denied
> { execmem } for pid=4266 comm=firefox-bin
> scontext=user_u:user_r:user_mozilla_t
> tcontext=user_u:user_r:user_mozilla_t tclass=process
> Jan 8 10:28:01 fedora kernel: audit(1105208881.928:0): avc: denied
> { execmem } for pid=4266 comm=firefox-bin
> scontext=user_u:user_r:user_mozilla_t
> tcontext=user_u:user_r:user_mozilla_t tclass=process
>
> Policy needs fixing for new kernel mods?
New controls for executable mappings in SELinux, see
http://marc.theaimsgroup.com/?l=linux-kernel&m=110200324503263&w=2. The
upstream strict policy includes allow rules for user domains, but not
for mozilla, although I suppose this will have to change for
compatibility.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
