FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-01-2008, 10:18 PM
Antonio Olivares
 
Default firefox3beta and selinux

Dear all,

When I try out the new firefox, setroubleshoot browser
tells me

egin{QUOTE}

Summary:

SELinux is preventing firefox from making the program
stack executable.

Detailed Description:

The firefox application attempted to make its stack
executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If firefox does not work
and you need it to work,
you can configure SELinux temporarily to allow this
access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Allowing Access:

Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust firefox to
run correctly, you can change the context of the
executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'" You must also
change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0b3pre/firefox'

Additional Information:

Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages
firefox-3.0-0.beta2.15.nightly20080130.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.5-24.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.24-9.fc9 #1 SMP Tue Jan 29
18:08:15 EST 2008 i686
athlon
Alert Count 2
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Fri 01 Feb 2008 05:08:54
PM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers

Raw Audit Messages

host=localhost type=AVC msg=audit(1201907334.440:23):
avc: denied { execstack } for pid=2743
comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process

host=localhost type=SYSCALL
msg=audit(1201907334.440:23): arch=40000003
syscall=125 success=no exit=-13 a0=bfd47000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2729 pid=2743
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
exe="/usr/lib/firefox-3.0b3pre/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)



end{QUOTE}

I have done this two or three time so that I can use
firefox-beta 3, is this by design or will it
eventually be incorporated.

If I decide to file a bug report, should it be against
firefox, selinux-policy?

see here
----------
The firefox application attempted to make its stack
executable. This is a potential security problem. This
should never ever be necessary. Stack memory is not
executable on most OSes these days and this will not
change. Executable stack memory is one of the biggest
security problems. An execstack error might in fact be
most likely raised by malicious code. Applications are
sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests web
page explains how to remove this requirement. If
firefox does not work and you need it to work, you can
configure SELinux temporarily to allow this access
until the application is fixed. Please file a bug
report against this package.


Thanks,

Antonio


__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-02-2008, 02:38 AM
Daniel J Walsh
 
Default firefox3beta and selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all,
>
> When I try out the new firefox, setroubleshoot browser
> tells me
>
> egin{QUOTE}
>
> Summary:
>
> SELinux is preventing firefox from making the program
> stack executable.
>
> Detailed Description:
>
> The firefox application attempted to make its stack
> executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If firefox does not work
> and you need it to work,
> you can configure SELinux temporarily to allow this
> access until the application
> is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Allowing Access:
>
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust firefox to
> run correctly, you can change the context of the
> executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/lib/firefox-3.0b3pre/firefox'" You must also
> change the default file
> context files on the system in order to preserve them
> even on a full relabel.
> "semanage fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.0b3pre/firefox'"
>
> The following command will allow this access:
>
> chcon -t unconfined_execmem_exec_t
> '/usr/lib/firefox-3.0b3pre/firefox'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source firefox
> Source Path
> /usr/lib/firefox-3.0b3pre/firefox
> Port <Unknown>
> Host localhost
> Source RPM Packages
> firefox-3.0-0.beta2.15.nightly20080130.fc9
> Target RPM Packages
> Policy RPM
> selinux-policy-3.2.5-24.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execstack
> Host Name localhost
> Platform Linux localhost
> 2.6.24-9.fc9 #1 SMP Tue Jan 29
> 18:08:15 EST 2008 i686
> athlon
> Alert Count 2
> First Seen Fri 01 Feb 2008 05:08:54
> PM CST
> Last Seen Fri 01 Feb 2008 05:08:54
> PM CST
> Local ID
> c4806f30-a6dc-43b0-8901-5531075795f7
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost type=AVC msg=audit(1201907334.440:23):
> avc: denied { execstack } for pid=2743
> comm="firefox"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> host=localhost type=SYSCALL
> msg=audit(1201907334.440:23): arch=40000003
> syscall=125 success=no exit=-13 a0=bfd47000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=2729 pid=2743
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox"
> exe="/usr/lib/firefox-3.0b3pre/firefox"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
>
>
> end{QUOTE}
>
> I have done this two or three time so that I can use
> firefox-beta 3, is this by design or will it
> eventually be incorporated.
>
> If I decide to file a bug report, should it be against
> firefox, selinux-policy?
>
> see here
> ----------
> The firefox application attempted to make its stack
> executable. This is a potential security problem. This
> should never ever be necessary. Stack memory is not
> executable on most OSes these days and this will not
> change. Executable stack memory is one of the biggest
> security problems. An execstack error might in fact be
> most likely raised by malicious code. Applications are
> sometimes coded incorrectly and request this
> permission. The SELinux Memory Protection Tests web
> page explains how to remove this requirement. If
> firefox does not work and you need it to work, you can
> configure SELinux temporarily to allow this access
> until the application is fixed. Please file a bug
> report against this package.
>
>
firefox. It is doing something that it should not do and is quite
dangerous.
> Thanks,
>
> Antonio
>
>
> __________________________________________________ __________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkej5aYACgkQrlYvE4MpobMgvwCfYPpUZfHbLl ZTm6zYGT5x+rmE
CDAAn2y7SjdnAR0SWYjPl15TsS35svk8
=pzlp
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org