Closed
Bug 319913
Opened 19 years ago
Closed 14 years ago
firefox and selinux
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dravet, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051129 Fedora/1.5-1 Firefox/1.5 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051129 Fedora/1.5-1 Firefox/1.5 I am sorry if this is not the correct area to post but none of the other options seemed to fit. Recent selinux 2.x policies have turned off allow_execmem, allow_execmod, allow_execheap for unconfined_t. This exposes problems with applications and makes them more secure. See http://people.redhat.com/drepper/selinux-mem.html for the details. Since I started using the 2.x selinux policies I see the avcs in the audit.log: type=AVC msg=audit(1134344923.564:81): avc: denied { execmem } for pid=2468 comm="firefox-bin" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process type=SYSCALL msg=audit(1134344923.564:81): arch=40000003 syscall=125 success=no exit=-13 a0=bfcc0000 a1=1000 a2=1000007 a3=b93000 items=0 pid=2468 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="firefox-bin" exe="/usr/lib/firefox-1.5/firefox-bin" I see these messages dozens of times when I am surfing. Firefox works, but it fills my audit.log. I am running Fedora Core 5 Test1 Just an FYI. Thanks, Jason Reproducible: Always Steps to Reproduce: 1. install recent 2.x selinux policies 2. run firefox 3. look in /var/log/audit/audit.log Actual Results: I see the avc messages in my audit.log Expected Results: There should be no avcs from firefox.
Comment 1•18 years ago
|
||
I have the same problem. For a start, try disabling Talkback. It doesn't make all the audit messages go away, but it eliminates many of them. Extra note for Firefox developers: I did some digging with /usr/bin/readelf and libqfaservices.so has an executable ELF stack and the talkback executable lacks a ".note.GNU-STACK" ELF section header, both of which *will* cause SELinux to fault with execstack errors (see <http://www.gentoo.org/proj/en/hardened/gnu-stack.xml>). -Jonathan (In reply to comment #0) > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) > Gecko/20051129 Fedora/1.5-1 Firefox/1.5 > Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) > Gecko/20051129 Fedora/1.5-1 Firefox/1.5 > > I am sorry if this is not the correct area to post but none of the other > options seemed to fit. Recent selinux 2.x policies have turned off > allow_execmem, allow_execmod, allow_execheap for unconfined_t. This exposes > problems with applications and makes them more secure. See > http://people.redhat.com/drepper/selinux-mem.html for the details. Since I > started using the 2.x selinux policies I see the avcs in the audit.log: > type=AVC msg=audit(1134344923.564:81): avc: denied { execmem } for pid=2468 > comm="firefox-bin" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 > tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process > type=SYSCALL msg=audit(1134344923.564:81): arch=40000003 syscall=125 success=no > exit=-13 a0=bfcc0000 a1=1000 a2=1000007 a3=b93000 items=0 pid=2468 auid=0 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="firefox-bin" > exe="/usr/lib/firefox-1.5/firefox-bin" > > I see these messages dozens of times when I am surfing. Firefox works, but it > fills my audit.log. I am running Fedora Core 5 Test1 Just an FYI. > > Thanks, > Jason > > Reproducible: Always > > Steps to Reproduce: > 1. install recent 2.x selinux policies > 2. run firefox > 3. look in /var/log/audit/audit.log > > Actual Results: > I see the avc messages in my audit.log > > Expected Results: > There should be no avcs from firefox. >
Comment 2•17 years ago
|
||
In BonEcho on Fedora 7 I see: SELinux is preventing firefox-bin from loading pathtofirefox/extensions/talkback@mozilla.org/components/libqfaservices.so which requires text relocation. It says chcon -t textrel_shlib_t pathtofirefox/extensions/talkback@mozilla.org/components/libqfaservices.so will allow it. This will not be fixed since talkback is closed source. Moving this bug to Firefox 2. I think my Fedora 7 has /etc/selinux/targeted/policy/policy.21 Window, dvedtiz, jesse: do you think a tracking bug on Minefield and dependent bugs for each policy violation would be a good idea?
Version: unspecified → 2.0 Branch
Comment 3•17 years ago
|
||
fwiw, I don't see any selinux audit failures in my preliminary running of minefield.
Comment 4•17 years ago
|
||
Filed Bug 405667 on Fedora 8 Minefield libmozgnome.so text relocation issue.
Comment 5•14 years ago
|
||
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode
Comment 6•14 years ago
|
||
Fedora 8 is no longer supported and runs 3.6.x with new crashreporter anyway.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•