Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error

NEW
Unassigned

Status

()

Core
General
--
critical
7 years ago
4 years ago

People

(Reporter: zzxc, Unassigned)

Tracking

1.9.2 Branch
All
Linux
Points:
---

Firefox Tracking Flags

(blocking1.9.2 -, status1.9.2 wanted)

Details

(Reporter)

Description

7 years ago
Firefox 3.6.4 and newer (including current trunk builds) will not start on Fedora 12 due to the following SELinux permission error:

/opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/libxul.so: cannot restore segment prot after reloc: Permission denied

Enabling the execmod privilege on libxul.so is a workaround to the problem.  This can be accomplished with the command:

chcon -t textrel_shlib_t /path/to/firefox/libxul.so
(Reporter)

Updated

7 years ago
See Also: → bug 506693
Is this Mozilla official builds only? I'm pretty sure that the distro builds, which use newer compilers, don't have this problem.

Somebody needs to use readelf to figure out what symbol is generating the text relocation.
(Reporter)

Comment 2

7 years ago
Official Firefox 3.6.4 packages don't yet exist for Fedora, but I can't find a related bug on bugzilla.redhat.com.
Duplicate of this bug: 574365
Duplicate of this bug: 575111
blocking1.9.2: --- → ?
status1.9.2: --- → ?
Not "blocking" but will look at approving an appropriate patch when this is fixed on the trunk.
blocking1.9.2: ? → -
status1.9.2: ? → wanted
readelf -r libxul.so shows the following relocation types:

R_386_32
R_386_GLOB_DAT
R_386_JUMP_SLOT
R_386_PC32
R_386_RELATIVE
R_386_TLS_DTPMOD3

Of these, R_386_PC32 is the only really odd-looking one. 3.6.6 has a set of these, and Minefield x86 builds only have two (both relocations to rand()).

Comment 7

7 years ago
A dupe of Bug 562029?
Duplicate of this bug: 577585

Comment 9

7 years ago
I've got the same issue on CentOS 5.5 with SELinux enabled.

Comment 10

7 years ago
Could you please fix it so that Firefox runs under SELinux without any SELinux tweaks needed (such as enabling execmod)?  I don't want to enable execmod as it would decrease security of my system.

Comment 11

7 years ago
Indeed this is a problem, as every upgrade of Firefox results in subsequent failed invocations, when SELinux is in enforce mode, a la CentOS 5.5 (i.e., "me too" to comment 9).

FYI, one can establish a local policy to allow execmod, by following the recipe at http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html, Q: I have some avc denials that I would like to allow, how do I do this? 

Your local.te might look like this:

    module local 1.0;

    require {
            type unconfined_t;
            type usr_t;
            class file execmod;
    }

    #============= unconfined_t ==============
    allow unconfined_t usr_t:file execmod;

Hope this helps.  /Jskud

Updated

7 years ago
Depends on: 506693

Comment 12

4 years ago
Any news regarding this more than three years old security-related issue?

Comment 13

4 years ago
Please remove the dependency on bug 506693 which has been resolved as WONTFIX.
You need to log in before you can comment on or make changes to this bug.