Open Bug 574119 Opened 11 years ago Updated 2 years ago

Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error


(Core :: General, defect)

1.9.2 Branch
Not set



Tracking Status
blocking1.9.2 --- -
status1.9.2 --- wanted


(Reporter: zzxc, Unassigned)



Firefox 3.6.4 and newer (including current trunk builds) will not start on Fedora 12 due to the following SELinux permission error:

/opt/firefox/firefox-bin: error while loading shared libraries: /opt/firefox/ cannot restore segment prot after reloc: Permission denied

Enabling the execmod privilege on is a workaround to the problem.  This can be accomplished with the command:

chcon -t textrel_shlib_t /path/to/firefox/
See Also: → 506693
Is this Mozilla official builds only? I'm pretty sure that the distro builds, which use newer compilers, don't have this problem.

Somebody needs to use readelf to figure out what symbol is generating the text relocation.
Official Firefox 3.6.4 packages don't yet exist for Fedora, but I can't find a related bug on
Duplicate of this bug: 574365
Duplicate of this bug: 575111
blocking1.9.2: --- → ?
status1.9.2: --- → ?
Not "blocking" but will look at approving an appropriate patch when this is fixed on the trunk.
blocking1.9.2: ? → -
readelf -r shows the following relocation types:


Of these, R_386_PC32 is the only really odd-looking one. 3.6.6 has a set of these, and Minefield x86 builds only have two (both relocations to rand()).
Duplicate of this bug: 577585
I've got the same issue on CentOS 5.5 with SELinux enabled.
Could you please fix it so that Firefox runs under SELinux without any SELinux tweaks needed (such as enabling execmod)?  I don't want to enable execmod as it would decrease security of my system.
Indeed this is a problem, as every upgrade of Firefox results in subsequent failed invocations, when SELinux is in enforce mode, a la CentOS 5.5 (i.e., "me too" to comment 9).

FYI, one can establish a local policy to allow execmod, by following the recipe at, Q: I have some avc denials that I would like to allow, how do I do this? 

Your local.te might look like this:

    module local 1.0;

    require {
            type unconfined_t;
            type usr_t;
            class file execmod;

    #============= unconfined_t ==============
    allow unconfined_t usr_t:file execmod;

Hope this helps.  /Jskud
Depends on: 506693
Any news regarding this more than three years old security-related issue?
Please remove the dependency on bug 506693 which has been resolved as WONTFIX.
You need to log in before you can comment on or make changes to this bug.