Closed Bug 574119 Opened 15 years ago Closed 3 years ago

Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error

Categories

(Core :: General, defect)

1.9.2 Branch
All
Linux
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
blocking1.9.2 --- -
status1.9.2 --- wanted

People

(Reporter: zzxc, Unassigned)

References

Details

Firefox 3.6.4 and newer (including current trunk builds) will not start on Fedora 12 due to the following SELinux permission error: /opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/libxul.so: cannot restore segment prot after reloc: Permission denied Enabling the execmod privilege on libxul.so is a workaround to the problem. This can be accomplished with the command: chcon -t textrel_shlib_t /path/to/firefox/libxul.so
See Also: → 506693
Is this Mozilla official builds only? I'm pretty sure that the distro builds, which use newer compilers, don't have this problem. Somebody needs to use readelf to figure out what symbol is generating the text relocation.
Official Firefox 3.6.4 packages don't yet exist for Fedora, but I can't find a related bug on bugzilla.redhat.com.
blocking1.9.2: --- → ?
status1.9.2: --- → ?
Not "blocking" but will look at approving an appropriate patch when this is fixed on the trunk.
blocking1.9.2: ? → -
readelf -r libxul.so shows the following relocation types: R_386_32 R_386_GLOB_DAT R_386_JUMP_SLOT R_386_PC32 R_386_RELATIVE R_386_TLS_DTPMOD3 Of these, R_386_PC32 is the only really odd-looking one. 3.6.6 has a set of these, and Minefield x86 builds only have two (both relocations to rand()).
I've got the same issue on CentOS 5.5 with SELinux enabled.
Could you please fix it so that Firefox runs under SELinux without any SELinux tweaks needed (such as enabling execmod)? I don't want to enable execmod as it would decrease security of my system.
Indeed this is a problem, as every upgrade of Firefox results in subsequent failed invocations, when SELinux is in enforce mode, a la CentOS 5.5 (i.e., "me too" to comment 9). FYI, one can establish a local policy to allow execmod, by following the recipe at http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html, Q: I have some avc denials that I would like to allow, how do I do this? Your local.te might look like this: module local 1.0; require { type unconfined_t; type usr_t; class file execmod; } #============= unconfined_t ============== allow unconfined_t usr_t:file execmod; Hope this helps. /Jskud
Depends on: 506693
Any news regarding this more than three years old security-related issue?
Please remove the dependency on bug 506693 which has been resolved as WONTFIX.

Closing this as Resolved > Incomplete since the reporter cannot be contacted to confirm its repro or current state thoug

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.