Closed
Bug 574119
Opened 15 years ago
Closed 3 years ago
Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: zzxc, Unassigned)
References
Details
Firefox 3.6.4 and newer (including current trunk builds) will not start on Fedora 12 due to the following SELinux permission error:
/opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/libxul.so: cannot restore segment prot after reloc: Permission denied
Enabling the execmod privilege on libxul.so is a workaround to the problem. This can be accomplished with the command:
chcon -t textrel_shlib_t /path/to/firefox/libxul.so
Comment 1•15 years ago
|
||
Is this Mozilla official builds only? I'm pretty sure that the distro builds, which use newer compilers, don't have this problem.
Somebody needs to use readelf to figure out what symbol is generating the text relocation.
Reporter | ||
Comment 2•15 years ago
|
||
Official Firefox 3.6.4 packages don't yet exist for Fedora, but I can't find a related bug on bugzilla.redhat.com.
Updated•15 years ago
|
blocking1.9.2: --- → ?
status1.9.2:
--- → ?
Comment 5•15 years ago
|
||
Not "blocking" but will look at approving an appropriate patch when this is fixed on the trunk.
blocking1.9.2: ? → -
Comment 6•15 years ago
|
||
readelf -r libxul.so shows the following relocation types:
R_386_32
R_386_GLOB_DAT
R_386_JUMP_SLOT
R_386_PC32
R_386_RELATIVE
R_386_TLS_DTPMOD3
Of these, R_386_PC32 is the only really odd-looking one. 3.6.6 has a set of these, and Minefield x86 builds only have two (both relocations to rand()).
Comment 7•14 years ago
|
||
A dupe of Bug 562029?
Comment 9•14 years ago
|
||
I've got the same issue on CentOS 5.5 with SELinux enabled.
Comment 10•14 years ago
|
||
Could you please fix it so that Firefox runs under SELinux without any SELinux tweaks needed (such as enabling execmod)? I don't want to enable execmod as it would decrease security of my system.
Comment 11•14 years ago
|
||
Indeed this is a problem, as every upgrade of Firefox results in subsequent failed invocations, when SELinux is in enforce mode, a la CentOS 5.5 (i.e., "me too" to comment 9).
FYI, one can establish a local policy to allow execmod, by following the recipe at http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html, Q: I have some avc denials that I would like to allow, how do I do this?
Your local.te might look like this:
module local 1.0;
require {
type unconfined_t;
type usr_t;
class file execmod;
}
#============= unconfined_t ==============
allow unconfined_t usr_t:file execmod;
Hope this helps. /Jskud
Comment 12•11 years ago
|
||
Any news regarding this more than three years old security-related issue?
Comment 13•11 years ago
|
||
Please remove the dependency on bug 506693 which has been resolved as WONTFIX.
Comment 14•3 years ago
|
||
Closing this as Resolved > Incomplete since the reporter cannot be contacted to confirm its repro or current state thoug
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•