Re: SELinux and NSS [was: Problem with NSS update - Firefox, Evolution]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jonathan Berry wrote:
On 1/28/06, Jonathan Berry <berryja@xxxxxxxxx> wrote:
On 1/28/06, Jonathan Berry <berryja@xxxxxxxxx> wrote:
setsebool -P allow_execmem=1
Hi all,

I just installed FC5T2 x86_64 to test it out.  Install went smoothly
and I just finished up all the updates.   I seem to be having an issue
with the NSS update:
# grep -i nss /var/log/yum.log
Jan 28 00:06:03 Updated: nss.x86_64 3.11-3
Jan 28 00:07:25 Updated: nss.i386 3.11-3
Jan 28 00:20:14 Updated: nss_ldap.i386 248-1
Jan 28 00:20:18 Updated: nss_ldap.x86_64 248-1

I have seen two symptoms of some problem thus far in Firefox and
Evolution.  Firefox starts with a warning that it could not initialize
the security component (something to that effect) and gives some
statement that it could be a file permissions problem in the profile
directory.  Perms look to be okay in ~/.mozilla/firefox/ and I get no
SELinux or other messages.  Evolution flat refuses to run.  The
problem is more apparent from the command line:
$ evolution
(evolution:3437): evolution-smime-WARNING **: Failed all methods for
initializing NSS
(evolution:3437): camel-WARNING **: Failed to initialize NSS

Any ideas?  Time for a bugzilla entry? (probably after I sleep some...)
More information...

I just tried reinstalling the original nss pacakges and I am still
having issues.  Firefox gives the security warning and will not do any
ssl stuff (not good!) and evolution will not start.
$ rpm -qa nss{,_ldap}
nss_ldap-244-2.1.x86_64
nss-3.11-2.x86_64
nss_ldap-244-2.1.i386
nss-3.11-2.i386

I've tried rebooting and even booting the original kernel and get the
same results.  Is anyone else seeing this?

Okay, well, I keep responding to myself...

This now seems to be related to SELinux somehow.  If I issue a
"setenforce 0" command, then Firefox and SSL work just fine, Evolution
starts, and all is well.  With enforcing disabled, when I start
Firefox or Evolution, I get some "avc:  granted  { execmem }" messages
in audit.log relating to the programs.  Unfortunately, I do not get
any failure or otherwise messages in audit.log when SELinux is on. FC5T2 x86_64 fully updated as of today.
$  rpm -qa | grep selinux
libselinux-devel-1.29.6-1.x86_64
libselinux-python-1.29.6-1.x86_64
selinux-policy-2.2.8-1.noarch
selinux-policy-targeted-2.2.8-1.noarch
libselinux-1.29.6-1.x86_64
libselinux-1.29.6-1.i386

Below I will post the AVC messages that I get when starting Evolution
and Firefox with SELinux off.  I do not get any messages with SELinux
enabled (ie, enforcing).  I'll also give the ls -Z output for the NSS
stuff.  Is no one else seeing this?  Should I go ahead and bugzilla
this (now that I can actually access https, heh)?

Jonathan

Lots of info follows.

$ ls -Z `rpm -ql nss`
-rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libfreebl3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libfreebl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libnss3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libnssckbi.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsmime3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsoftokn3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsoftokn3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libssl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libfreebl3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libfreebl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libnss3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libnssckbi.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsmime3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsoftokn3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsoftokn3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libssl3.so

$ ls -Z `rpm -ql nss_ldap`
-rw-r--r--  root     root     system_u:object_r:etc_t          /etc/ldap.conf
-rw-r--r--  root     root     system_u:object_r:etc_t          /etc/ldap.conf
-rwxr-xr-x root root system_u:object_r:lib_t /lib64/libnss_ldap-2.3.90.so lrwxrwxrwx root root system_u:object_r:lib_t /lib64/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so -rwxr-xr-x root root system_u:object_r:lib_t /lib64/security/pam_ldap.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/libnss_ldap-2.3.90.so lrwxrwxrwx root root system_u:object_r:lib_t /lib/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/security/pam_ldap.so lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib64/libnss_ldap.so -> ../../lib64/libnss_ldap.so.2 lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libnss_ldap.so -> ../../lib/libnss_ldap.so.2 [... snip tons more files with perms: -rw-r--r-- root root system_u:object_r:usr_t]

I get the following AVC messages when starting Evolution with SELinux off:
type=AVC msg=audit(1138480597.454:108): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.454:108): arch=c000003e syscall=10
success=yes exit=0 a0=7fffffce9000 a1=1000 a2=1000007 a3=4
 items=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe=
"/usr/bin/evolution-2.6"
type=AVC msg=audit(1138480597.558:109): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.558:109): arch=c000003e syscall=9
success=yes exit=1073741824 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480597.590:110): avc:  granted  { execmem } for
 pid=3761 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.590:110): arch=c000003e syscall=9
success=yes exit=1084231680 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3761 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480597.630:111): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480597.630:111): arch=c000003e syscall=9
success=yes exit=1094721536 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480598.770:112): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480598.770:112): arch=c000003e syscall=9
success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"
type=AVC msg=audit(1138480598.878:113): avc:  granted  { execmem } for
 pid=3745 comm="evolution" scontext=user_u:system_r:unco
nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480598.878:113): arch=c000003e syscall=9
success=yes exit=1115701248 a0=0 a1=a01000 a2=7 a3=62 items
=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/
bin/evolution-2.6"

I get the following AVC messages when starting Firefox with SELinux off:
type=AVC msg=audit(1138480668.242:114): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:114): arch=c000003e syscall=10
success=yes exit=0 a0=7fffffa74000 a1=1000 a2=1000007 a3=4 items=0
pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:115): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:115): arch=c000003e syscall=10
success=yes exit=0 a0=41403000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:116): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:116): arch=c000003e syscall=10
success=yes exit=0 a0=40a02000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.242:117): avc:  granted  { execmem } for
 pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.242:117): arch=c000003e syscall=10
success=yes exit=0 a0=40001000 a1=a00000 a2=7 a3=4 items=0 pid=3802
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"
type=AVC msg=audit(1138480668.502:118): avc:  granted  { execmem } for
 pid=3803 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1138480668.502:118): arch=c000003e syscall=9
success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items=0 pid=3803
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="firefox-bin"
exe="/usr/lib64/firefox-1.5/firefox-bin"


--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]