After upgrading to the Firefox 4 of Fedora 15, Firefox crashes
immediately on startup. I get an AVC about execmem being denied. I
run with allow_execmem disabled. (Audit details below.) I used
strace and gdb and found out that this happens in a file called
xulrunner-2.0.1/mozilla-2.0/js/src/assembler/jit/ExecutableAllocateorPosix.cpp
where it does
void* allocation = mmap(NULL, n, INITIAL_PROTECTION_FLAGS, MAP_PRIVATE | MAP_ANON, VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY, 0);
The definition of INITIAL_PROTECTION_FLAGS is
PROT_READ|PROT_WRITE|PROT_EXEC which indeed looks like something
that would be disallowed without allow_execmem.
To make more mysterious, on a different system where we have an fresh
installation of Fedora 15, not updated from earlier versions, firefox
DO work. It does so even if I turn off allow_execmem. And when I
check /proc/*/maps for the firefox process, there are several
anonymous regions with "rwxp" permission.
How can it do that? What is it that allows the firefox on the freshly
installed F15 system allocate executable and writeable pages? If I
knew, maybe I would know what am I missing on the upgraded system?
================================================================
node=mimmi type=AVC msg=audit(1308408766.500:147502): avc: denied {
execmem } for pid=23119 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process node=mimmi type=SYSCALL
msg=audit(1308408766.500:147502): arch=c000003e syscall=9 success=no
exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=23116 pid=23119
auid=918 uid=918 gid=918 euid=918 suid=918 fsuid=918 egid=918 sgid=918
fsgid=918 tty=pts1 ses=9147 comm="firefox"
exe="/usr/lib64/firefox-4/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
