Dear all,
When I try out the new firefox, setroubleshoot browser
tells me
\begin{QUOTE}
Summary:
SELinux is preventing firefox from making the program
stack executable.
Detailed Description:
The firefox application attempted to make its stack
executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If firefox does not work
and you need it to work,
you can configure SELinux temporarily to allow this
access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust firefox to
run correctly, you can change the context of the
executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'" You must also
change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages
firefox-3.0-0.beta2.15.nightly20080130.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.5-24.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.24-9.fc9 #1 SMP Tue Jan 29
18:08:15 EST 2008 i686
athlon
Alert Count 2
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Fri 01 Feb 2008 05:08:54
PM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1201907334.440:23):
avc: denied { execstack } for pid=2743
comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1201907334.440:23): arch=40000003
syscall=125 success=no exit=-13 a0=bfd47000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2729 pid=2743
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
exe="/usr/lib/firefox-3.0b3pre/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
\end{QUOTE}
I have done this two or three time so that I can use
firefox-beta 3, is this by design or will it
eventually be incorporated.
If I decide to file a bug report, should it be against
firefox, selinux-policy?
see here
----------
The firefox application attempted to make its stack
executable. This is a potential security problem. This
should never ever be necessary. Stack memory is not
executable on most OSes these days and this will not
change. Executable stack memory is one of the biggest
security problems. An execstack error might in fact be
most likely raised by malicious code. Applications are
sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests web
page explains how to remove this requirement. If
firefox does not work and you need it to work, you can
configure SELinux temporarily to allow this access
until the application is fixed. Please file a bug
report against this package.
Thanks,
Antonio
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
