-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > When I try out the new firefox, setroubleshoot browser > tells me > > \begin{QUOTE} > > Summary: > > SELinux is preventing firefox from making the program > stack executable. > > Detailed Description: > > The firefox application attempted to make its stack > executable. This is a > potential security problem. This should never ever be > necessary. Stack memory is > not executable on most OSes these days and this will > not change. Executable > stack memory is one of the biggest security problems. > An execstack error might > in fact be most likely raised by malicious code. > Applications are sometimes > coded incorrectly and request this permission. The > SELinux Memory Protection > Tests > (http://people.redhat.com/drepper/selinux-mem.html) > web page explains how > to remove this requirement. If firefox does not work > and you need it to work, > you can configure SELinux temporarily to allow this > access until the application > is fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Allowing Access: > > Sometimes a library is accidentally marked with the > execstack flag, if you find > a library with this flag you can clear it with the > execstack -c LIBRARY_PATH. > Then retry your application. If the app continues to > not work, you can turn the > flag back on with execstack -s LIBRARY_PATH. > Otherwise, if you trust firefox to > run correctly, you can change the context of the > executable to > unconfined_execmem_exec_t. "chcon -t > unconfined_execmem_exec_t > '/usr/lib/firefox-3.0b3pre/firefox'" You must also > change the default file > context files on the system in order to preserve them > even on a full relabel. > "semanage fcontext -a -t unconfined_execmem_exec_t > '/usr/lib/firefox-3.0b3pre/firefox'" > > The following command will allow this access: > > chcon -t unconfined_execmem_exec_t > '/usr/lib/firefox-3.0b3pre/firefox' > > Additional Information: > > Source Context > unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Context > unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects None [ process ] > Source firefox > Source Path > /usr/lib/firefox-3.0b3pre/firefox > Port <Unknown> > Host localhost > Source RPM Packages > firefox-3.0-0.beta2.15.nightly20080130.fc9 > Target RPM Packages > Policy RPM > selinux-policy-3.2.5-24.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execstack > Host Name localhost > Platform Linux localhost > 2.6.24-9.fc9 #1 SMP Tue Jan 29 > 18:08:15 EST 2008 i686 > athlon > Alert Count 2 > First Seen Fri 01 Feb 2008 05:08:54 > PM CST > Last Seen Fri 01 Feb 2008 05:08:54 > PM CST > Local ID > c4806f30-a6dc-43b0-8901-5531075795f7 > Line Numbers > > Raw Audit Messages > > host=localhost type=AVC msg=audit(1201907334.440:23): > avc: denied { execstack } for pid=2743 > comm="firefox" > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=process > > host=localhost type=SYSCALL > msg=audit(1201907334.440:23): arch=40000003 > syscall=125 success=no exit=-13 a0=bfd47000 a1=1000 > a2=1000007 a3=fffff000 items=0 ppid=2729 pid=2743 > auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox" > exe="/usr/lib/firefox-3.0b3pre/firefox" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > > > \end{QUOTE} > > I have done this two or three time so that I can use > firefox-beta 3, is this by design or will it > eventually be incorporated. > > If I decide to file a bug report, should it be against > firefox, selinux-policy? > > see here > ---------- > The firefox application attempted to make its stack > executable. This is a potential security problem. This > should never ever be necessary. Stack memory is not > executable on most OSes these days and this will not > change. Executable stack memory is one of the biggest > security problems. An execstack error might in fact be > most likely raised by malicious code. Applications are > sometimes coded incorrectly and request this > permission. The SELinux Memory Protection Tests web > page explains how to remove this requirement. If > firefox does not work and you need it to work, you can > configure SELinux temporarily to allow this access > until the application is fixed. Please file a bug > report against this package. > > firefox. It is doing something that it should not do and is quite dangerous. > Thanks, > > Antonio > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkej5aYACgkQrlYvE4MpobMgvwCfYPpUZfHbLlZTm6zYGT5x+rmE CDAAn2y7SjdnAR0SWYjPl15TsS35svk8 =pzlp -----END PGP SIGNATURE----- -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list