Jonathan Berry wrote:
On 1/28/06, Jonathan Berry <berryja@xxxxxxxxx> wrote:
On 1/28/06, Jonathan Berry <berryja@xxxxxxxxx> wrote:
setsebool -P allow_execmem=1
Hi all,
I just installed FC5T2 x86_64 to test it out. Install went smoothly
and I just finished up all the updates. I seem to be having an issue
with the NSS update:
# grep -i nss /var/log/yum.log
Jan 28 00:06:03 Updated: nss.x86_64 3.11-3
Jan 28 00:07:25 Updated: nss.i386 3.11-3
Jan 28 00:20:14 Updated: nss_ldap.i386 248-1
Jan 28 00:20:18 Updated: nss_ldap.x86_64 248-1
I have seen two symptoms of some problem thus far in Firefox and
Evolution. Firefox starts with a warning that it could not initialize
the security component (something to that effect) and gives some
statement that it could be a file permissions problem in the profile
directory. Perms look to be okay in ~/.mozilla/firefox/ and I get no
SELinux or other messages. Evolution flat refuses to run. The
problem is more apparent from the command line:
$ evolution
(evolution:3437): evolution-smime-WARNING **: Failed all methods for
initializing NSS
(evolution:3437): camel-WARNING **: Failed to initialize NSS
Any ideas? Time for a bugzilla entry? (probably after I sleep some...)
More information...
I just tried reinstalling the original nss pacakges and I am still
having issues. Firefox gives the security warning and will not do any
ssl stuff (not good!) and evolution will not start.
$ rpm -qa nss{,_ldap}
nss_ldap-244-2.1.x86_64
nss-3.11-2.x86_64
nss_ldap-244-2.1.i386
nss-3.11-2.i386
I've tried rebooting and even booting the original kernel and get the
same results. Is anyone else seeing this?
Okay, well, I keep responding to myself...
This now seems to be related to SELinux somehow. If I issue a
"setenforce 0" command, then Firefox and SSL work just fine, Evolution
starts, and all is well. With enforcing disabled, when I start
Firefox or Evolution, I get some "avc: granted { execmem }" messages
in audit.log relating to the programs. Unfortunately, I do not get
any failure or otherwise messages in audit.log when SELinux is on.
FC5T2 x86_64 fully updated as of today.
$ rpm -qa | grep selinux
libselinux-devel-1.29.6-1.x86_64
libselinux-python-1.29.6-1.x86_64
selinux-policy-2.2.8-1.noarch
selinux-policy-targeted-2.2.8-1.noarch
libselinux-1.29.6-1.x86_64
libselinux-1.29.6-1.i386
Below I will post the AVC messages that I get when starting Evolution
and Firefox with SELinux off. I do not get any messages with SELinux
enabled (ie, enforcing). I'll also give the ls -Z output for the NSS
stuff. Is no one else seeing this? Should I go ahead and bugzilla
this (now that I can actually access https, heh)?
Jonathan
Lots of info follows.
$ ls -Z `rpm -ql nss`
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libfreebl3.chk
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libfreebl3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libnss3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libnssckbi.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libsmime3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libsoftokn3.chk
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libsoftokn3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib64/libssl3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libfreebl3.chk
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libfreebl3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libnss3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libnssckbi.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libsmime3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libsoftokn3.chk
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libsoftokn3.so
-rw-r--r-- root root system_u:object_r:lib_t
/usr/lib/libssl3.so
$ ls -Z `rpm -ql nss_ldap`
-rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf
-rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf
-rwxr-xr-x root root system_u:object_r:lib_t
/lib64/libnss_ldap-2.3.90.so
lrwxrwxrwx root root system_u:object_r:lib_t
/lib64/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so
-rwxr-xr-x root root system_u:object_r:lib_t
/lib64/security/pam_ldap.so
-rwxr-xr-x root root system_u:object_r:lib_t
/lib/libnss_ldap-2.3.90.so
lrwxrwxrwx root root system_u:object_r:lib_t
/lib/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so
-rwxr-xr-x root root system_u:object_r:lib_t
/lib/security/pam_ldap.so
lrwxrwxrwx root root system_u:object_r:lib_t
/usr/lib64/libnss_ldap.so -> ../../lib64/libnss_ldap.so.2
lrwxrwxrwx root root system_u:object_r:lib_t
/usr/lib/libnss_ldap.so -> ../../lib/libnss_ldap.so.2
[... snip tons more files with perms: -rw-r--r-- root root
system_u:object_r:usr_t]
I get the following AVC messages when starting Evolution with SELinux off:
type=AVC msg=audit(1138480597.454:108): avc: granted { execmem } for
pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.454:108): arch=c000003e syscall=10
success=yes exit=0 a0=7fffffce9000 a1=1000 a2=1000007 a3=4
items=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe=
"/usr/bin/evolution-2.6"
type=AVC msg=audit(1138480597.558:109): avc: granted { execmem } for
pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.558:109): arch=c000003e syscall=9
success=yes exit=1073741824 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480597.590:110): avc: granted { execmem } for
pid=3761 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.590:110): arch=c000003e syscall=9
success=yes exit=1084231680 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3761 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480597.630:111): avc: granted { execmem } for
pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.630:111): arch=c000003e syscall=9
success=yes exit=1094721536 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480598.770:112): avc: granted { execmem } for
pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480598.770:112): arch=c000003e syscall=9
success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480598.878:113): avc: granted { execmem } for
pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480598.878:113): arch=c000003e syscall=9
success=yes exit=1115701248 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
I get the following AVC messages when starting Firefox with SELinux off:
type=AVC msg=audit(1138480668.242:114): avc: granted { execmem } for
pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:114): arch=c000003e syscall=10
success=yes exit=0 a0=7fffffa74000 a1=1000 a2=1000007 a3=4 items=0
pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:115): avc: granted { execmem } for
pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:115): arch=c000003e syscall=10
success=yes exit=0 a0=41403000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:116): avc: granted { execmem } for
pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:116): arch=c000003e syscall=10
success=yes exit=0 a0=40a02000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:117): avc: granted { execmem } for
pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:117): arch=c000003e syscall=10
success=yes exit=0 a0=40001000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.502:118): avc: granted { execmem } for
pid=3803 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.502:118): arch=c000003e syscall=9
success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items=0 pid=3803
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list