Closed Bug 319913 Opened 19 years ago Closed 14 years ago

firefox and selinux

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
2.0 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dravet, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051129 Fedora/1.5-1 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051129 Fedora/1.5-1 Firefox/1.5

I am sorry if this is not the correct area to post but none of the other options seemed to fit.  Recent selinux 2.x policies have turned off allow_execmem, allow_execmod, allow_execheap for unconfined_t.  This exposes problems with applications and makes them more secure.  See http://people.redhat.com/drepper/selinux-mem.html for the details.  Since I started using the 2.x selinux policies I see the avcs in the audit.log:
type=AVC msg=audit(1134344923.564:81): avc:  denied  { execmem } for  pid=2468 comm="firefox-bin" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
type=SYSCALL msg=audit(1134344923.564:81): arch=40000003 syscall=125 success=no exit=-13 a0=bfcc0000 a1=1000 a2=1000007 a3=b93000 items=0 pid=2468 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="firefox-bin" exe="/usr/lib/firefox-1.5/firefox-bin"

I see these messages dozens of times when I am surfing.  Firefox works, but it fills my audit.log.  I am running Fedora Core 5 Test1  Just an FYI.

Thanks,
Jason

Reproducible: Always

Steps to Reproduce:
1.  install recent 2.x selinux policies
2.  run firefox
3.  look in /var/log/audit/audit.log

Actual Results:  
I see the avc messages in my audit.log

Expected Results:  
There should be no avcs from firefox.
I have the same problem.  For a start, try disabling Talkback.  It doesn't make all the audit messages go away, but it eliminates many of them.

Extra note for Firefox developers:
I did some digging with /usr/bin/readelf and libqfaservices.so has an executable ELF stack and the talkback executable lacks a ".note.GNU-STACK" ELF section header, both of which *will* cause SELinux to fault with execstack errors (see <http://www.gentoo.org/proj/en/hardened/gnu-stack.xml>).

-Jonathan

(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8)
> Gecko/20051129 Fedora/1.5-1 Firefox/1.5
> Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8)
> Gecko/20051129 Fedora/1.5-1 Firefox/1.5
> 
> I am sorry if this is not the correct area to post but none of the other
> options seemed to fit.  Recent selinux 2.x policies have turned off
> allow_execmem, allow_execmod, allow_execheap for unconfined_t.  This exposes
> problems with applications and makes them more secure.  See
> http://people.redhat.com/drepper/selinux-mem.html for the details.  Since I
> started using the 2.x selinux policies I see the avcs in the audit.log:
> type=AVC msg=audit(1134344923.564:81): avc:  denied  { execmem } for  pid=2468
> comm="firefox-bin" scontext=root:system_r:unconfined_t:s0-s0:c0.c255
> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
> type=SYSCALL msg=audit(1134344923.564:81): arch=40000003 syscall=125 success=no
> exit=-13 a0=bfcc0000 a1=1000 a2=1000007 a3=b93000 items=0 pid=2468 auid=0 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="firefox-bin"
> exe="/usr/lib/firefox-1.5/firefox-bin"
> 
> I see these messages dozens of times when I am surfing.  Firefox works, but it
> fills my audit.log.  I am running Fedora Core 5 Test1  Just an FYI.
> 
> Thanks,
> Jason
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1.  install recent 2.x selinux policies
> 2.  run firefox
> 3.  look in /var/log/audit/audit.log
> 
> Actual Results:  
> I see the avc messages in my audit.log
> 
> Expected Results:  
> There should be no avcs from firefox.
> 


In BonEcho on Fedora 7 I see:

    SELinux is preventing firefox-bin from loading pathtofirefox/extensions/talkback@mozilla.org/components/libqfaservices.so which requires text relocation.

It says 

chcon -t textrel_shlib_t pathtofirefox/extensions/talkback@mozilla.org/components/libqfaservices.so

will allow it. This will not be fixed since talkback is closed source. Moving this bug to Firefox 2. 

I think my Fedora 7 has /etc/selinux/targeted/policy/policy.21

Window, dvedtiz, jesse: do you think a tracking bug on Minefield and dependent bugs for each policy violation would be a good idea?
Version: unspecified → 2.0 Branch
fwiw, I don't see any selinux audit failures in my preliminary running of minefield.
Filed Bug 405667 on Fedora 8 Minefield libmozgnome.so text relocation issue.
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode
Fedora 8 is no longer supported and runs 3.6.x with new crashreporter anyway.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.