384172 - Updated builds to latest trunk crashes with selinux error while loading shared library: /opt/firefox/libxul.so

Status: RESOLVED FIXED

(Core :: Internationalization, defect)

Description

[Carsten Book [:Tomcat]]

The updated nightlies (via Software Update) on Linux from yesterdays trunk build to the latest trunk build crashs with error message :

/opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/libxul.so: cannot restore segment prot after reloc: Permission denied

Reproduced with Fedora F7

Steps to reproduce:
Install the nightly from yesterday
Update via AUS to the latest trunk
Crash on restart after the update is applied

Comment 1

[Zach Lipton [:zach]]

This error is an selinux error. I'm assuming libxul related fallout. 

Comment 2

[u279076]

I have done some testing on all platforms is this is what I have found:

Mac OSX:
--------
200706011 -> 20070612 via Check For Updates: no problems
200706011 -> 20070612 via Clean Install: no problems

Linux (Fedora 7):
-----------------
200706011 -> 20070612 via Check For Updates: 
/firefox-bin: error while loading shared libraries: /libxul.so: cannot restore
segment prot after reloc: Permission
denied

200706011 -> 20070612 via Clean Install: no problems

Linux (Kubuntu 7.04):
---------------------
200706011 -> 20070612 via Check For Updates: Seg-fault
200706011 -> 20070612 via Clean Install: no problems

Windows Vista:
--------------
200706011 -> 20070612 via Check For Updates: Mozilla crash reporter dialog
200706011 -> 20070612 via Clean Install: no problems

Windows XP SP2:
---------------
200706011 -> 20070612 via Check For Updates: Mozilla crash reporter dialog
200706011 -> 20070612 via Clean Install: firefox.exe process hangs in task
manager

Comment 3

[Benjamin Smedberg]

Can somebody please check the build from fx-linux-tbox after the libxul landing, which I believe is this one: http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/fx-linux-tbox-trunk/

fx-linux-tbox will become the new nightly build and should have the correct relocatable sections

Comment 4

[Carsten Book [:Tomcat]]

the Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a6pre) Gecko/2007061211 Minefield/3.0a6pre build (its the one from the tbox) starts without problems here.

Comment 5

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

If my memory is correct, the problem is the R_386_PC32 relocations, which are for a bunch of _moz_cairo_* functions, according to objdump -R libxul.so | grep R_386_PC32.

Comment 6

[(not reading, please use seth@sspitzer.org instead)]

see also bug #384179

Comment 7

[Benjamin Smedberg]

marking this fixed by bug 384150, switching to fx-linux-tbox

Comment 9

[Carsten Book [:Tomcat]]

its back with the latest trunk build on Fedora F7:

Its only working when i enter chcon -t textrel_shlib_t /opt/firefox/libxul.so into the terminal

/opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/libxul.so: cannot restore segment prot after reloc: Permission denied

Summary
SELinux is preventing /opt/firefox/firefox-bin from loading
/opt/firefox/libxul.so which requires text relocation.

Detailed Description
The /opt/firefox/firefox-bin application attempted to load
/opt/firefox/libxul.so which requires text relocation. This is a potential
security problem. Most libraries do not need this permission. Libraries are
sometimes coded incorrectly and request this permission. The
http://people.redhat.com/drepper/selinux-mem.html web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/opt/firefox/libxul.so to use relocation as a workaround, until the library
is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.

Allowing Access
If you trust /opt/firefox/libxul.so to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
/opt/firefox/libxul.so"

The following command will allow this access:
chcon -t textrel_shlib_t /opt/firefox/libxul.so

Additional Information

Source Context root:system_r:unconfined_t:SystemLow-SystemHigh
Target Context root:object_r:usr_t
Target Objects /opt/firefox/libxul.so [ file ]
Affected RPM Packages
Policy RPM selinux-policy-2.6.4-26.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execmod
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.21-1.3228.fc7 #1
SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 4
First Seen Tue 12 Jun 2007 08:01:40 PM CEST
Last Seen Fri 20 Jul 2007 01:36:29 AM CEST
Local ID 66ffcda0-6838-4fde-91d4-84ac44647af9
Line Numbers

Raw Audit Messages

avc: denied { execmod } for comm="firefox-bin" dev=dm-0 egid=0 euid=0
exe="/opt/firefox/firefox-bin" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="libxul.so" path="/opt/firefox/libxul.so" pid=11074
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=root:object_r:usr_t:s0 tty=pts0 uid=0

Comment 10

[(not currently active) Ted Mielczarek]

With today's nightly:

objdump -R libxul.so | grep R_386_PC32
0025cba3 R_386_PC32        pango_get_log_attrs
0025cc53 R_386_PC32        pango_language_from_string

Comment 11

[(not currently active) Ted Mielczarek]

Looks like that's from bug 336959.

Comment 12

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

If bug 359336 were fixed, we'd have seen:

/usr/bin/ld: ../lwbrk/src/liblwbrk_s.a(nsPangoBreaker.o): relocation R_X86_64_PC
32 against `pango_language_from_string' can not be used when making a shared obj
ect; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: ld returned 1 exit status
gmake[5]: *** [libi18n.so] Error 1

Comment 13

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Looks like it's being tracked in bug 336959, though.

Comment 14

[Carsten Book [:Tomcat]]

still happend again today with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a8pre) Gecko/2007090404 Minefield/3.0a8pre under Fedora F7

[root@localhost ~]# /opt/firefox/firefox
/opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/libxul.so: cannot restore segment prot after reloc: Permission denied


    SELinux is preventing /opt/firefox/firefox-bin from loading
    /opt/firefox/libxul.so which requires text relocation.

Raw Audit Messages            

avc: denied { execmod } for comm="firefox-bin" dev=dm-0 egid=0 euid=0
exe="/opt/firefox/firefox-bin" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="libxul.so" path="/opt/firefox/libxul.so" pid=2776
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=root:object_r:usr_t:s0 tty=pts0 uid=0

Comment 15

[Carsten Book [:Tomcat]]

reopen because i see this again with 2007090404

Comment 16

[Theppitak Karoonboonyanan]

Attachment: Patch fixing build flags

Probably, I should have adjusted the build flags in my patch for Bug 336969.

Comment 17

[Reed Loden [:reed]]

re-requesting blocking+ since it got lost due to the move.

Comment 18

[Reed Loden [:reed]]

Comment on attachment 279691 [details] [diff] [review]
Patch fixing build flags

Fallout from bug 336959.

Comment 19

[Reed Loden [:reed]]

Checking in intl/build/Makefile.in;
/cvsroot/mozilla/intl/build/Makefile.in,v  <--  Makefile.in
new revision: 1.25; previous revision: 1.24
done
Checking in intl/lwbrk/src/Makefile.in;
/cvsroot/mozilla/intl/lwbrk/src/Makefile.in,v  <--  Makefile.in
new revision: 1.40; previous revision: 1.39
done