Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error




9 years ago
a year ago


(Reporter: zzxc, Unassigned)


1.9.2 Branch

Firefox Tracking Flags

(blocking1.9.2 -, status1.9.2 wanted)




9 years ago
Firefox 3.6.4 and newer (including current trunk builds) will not start on Fedora 12 due to the following SELinux permission error:

/opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/ cannot restore segment prot after reloc: Permission denied

Enabling the execmod privilege on is a workaround to the problem.  This can be accomplished with the command:

chcon -t textrel_shlib_t /path/to/firefox/


9 years ago
See Also: → bug 506693

Comment 1

9 years ago
Is this Mozilla official builds only? I'm pretty sure that the distro builds, which use newer compilers, don't have this problem.

Somebody needs to use readelf to figure out what symbol is generating the text relocation.

Comment 2

9 years ago
Official Firefox 3.6.4 packages don't yet exist for Fedora, but I can't find a related bug on
Duplicate of this bug: 574365


9 years ago
Duplicate of this bug: 575111
blocking1.9.2: --- → ?
status1.9.2: --- → ?
Not "blocking" but will look at approving an appropriate patch when this is fixed on the trunk.
blocking1.9.2: ? → -
status1.9.2: ? → wanted

Comment 6

9 years ago
readelf -r shows the following relocation types:


Of these, R_386_PC32 is the only really odd-looking one. 3.6.6 has a set of these, and Minefield x86 builds only have two (both relocations to rand()).
Duplicate of this bug: 577585
I've got the same issue on CentOS 5.5 with SELinux enabled.
Could you please fix it so that Firefox runs under SELinux without any SELinux tweaks needed (such as enabling execmod)?  I don't want to enable execmod as it would decrease security of my system.

Comment 11

8 years ago
Indeed this is a problem, as every upgrade of Firefox results in subsequent failed invocations, when SELinux is in enforce mode, a la CentOS 5.5 (i.e., "me too" to comment 9).

FYI, one can establish a local policy to allow execmod, by following the recipe at, Q: I have some avc denials that I would like to allow, how do I do this? 

Your local.te might look like this:

    module local 1.0;

    require {
            type unconfined_t;
            type usr_t;
            class file execmod;

    #============= unconfined_t ==============
    allow unconfined_t usr_t:file execmod;

Hope this helps.  /Jskud


8 years ago
Depends on: 506693

Comment 12

5 years ago
Any news regarding this more than three years old security-related issue?

Comment 13

5 years ago
Please remove the dependency on bug 506693 which has been resolved as WONTFIX.
You need to log in before you can comment on or make changes to this bug.