Closed Bug 368136 Opened 19 years ago Closed 18 years ago

Thunderbird will not start if SELinux is installed.

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: jstott, Assigned: mscott)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1 Build Identifier: Version 3 alpha 1 (20070124) I'm running a Debian/Linux system with the SELinux package [Security Enhanced Linux, from the Debian testing branch] installed. Security policy is Debian's default "targeted" policy. If SELinux is enabled, Thunderbird fails to start. The program aborts (or is killed) without opening any windows and without printing any error messages. Talkback never gets a chance to run. SELinux logs the following syslog message: audit(1169687371.517:28): avc: denied { execmem } for pid=2969 comm="thunderbird-bin" scontext=user_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Disabling SELinux restores normal Thunderbird operation. This problem affects both version 1.5.0.9 and the current nightly build. Fundamentally, the issue would seem to be the same as reported in Firefox Bug #319913, except where Firefox generates log messages (which I'm also seeing) but still operates, Thunderbird is completely completely disabled. Reproducible: Always Steps to Reproduce: 1. Enable SELinux ["echo 1 > /selinux/enforcing" if needed] 2. /usr/local/bin/thunderbird Actual Results: Program fails to start. Expected Results: Program should have run.
The same thing happens on FC6. This is the error message of the Fedora SELinux trouble shooter program: ------------------------------------------------------------------------------ Summary SELinux is preventing /opt/thunderbird/thunderbird-bin from changing a writable memory segment executable. Detailed Description The /opt/thunderbird/thunderbird-bin application attempted to change the access protection of memory (e,g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If /opt/thunderbird/thunderbird-bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. Allowing Access If you trust /opt/thunderbird/thunderbird-bin to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t /opt/thunderbird/thunderbird-bin".The following command will allow this access:chcon -t unconfined_execmem_exec_t /opt/thunderbird/thunderbird-bin Additional Information Source Context: user_u:system_r:unconfined_t Target Context: user_u:system_r:unconfined_t Target Objects: None [ process ] Affected RPM Packages: Policy RPM: selinux-policy-2.4.6-62.fc6 Selinux Enabled: True Policy Type: targeted MLSEnabled: True Enforcing Mode: Enforcing Plugin Name: plugins.allow_execmem Host Name: localhost Platform: Linux localhost 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 18:53:15 EDT 2007 i686 i686 Alert Count: 319 Line Numbers: Raw Audit Messages : avc: denied { execmem } for comm="thunderbird-bin" egid=500 euid=500 exe="/opt/thunderbird/thunderbird-bin" exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=1581 scontext=user_u:system_r:unconfined_t:s0 sgid=500 subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 ------------------------------------------------------------------------ It would be a nice thing if this could be resolved in a way where SELinux still could look out for strange usage of memory, instead of just making it unconfined_execmem_exec_t as the Fedora error report suggests. Mail clients and web clients are a natural entry point for malware, so we should be very careful when deciding what to allow.
Thunderbird 2 nightlies work for me with Fedora 8 and SeLinux enforcing, targetted. Can you try with a recent build to reproduce?
(In reply to comment #2) > Thunderbird 2 nightlies work for me with Fedora 8 and SeLinux enforcing, > targetted. Can you try with a recent build to reproduce? Works for Bob and there's been no other information for 4 months. -> incomplete. Please feel free to comment if the issue still occurs in the latest supported Thunderbird version 2.0.0.12 or trunk nightlies.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.