Bug#886458: firefox-esr: does not start when selinux is enforcing

Johannes Westhuis johannes.westhuis+debian at gmail.com
Sat Jan 6 09:51:21 UTC 2018 

Package: firefox-esr
Version: 52.5.3esr-1
Severity: important

Dear Maintainer,

i wanted to enforce the selinux-policy-default on my buster system.

When firefox-esr is started, the following avc is displayed in the logs:

type=AVC msg=audit(1515197400.026:656): avc:  denied  { execmem } for  pid=14251 comm="firefox-esr" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
	Was caused by:
	One of the following booleans was set incorrectly.
	Description:
	Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

	Allow access by executing:
	# setsebool -P allow_execmem 1
	Description:
	Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")

	Allow access by executing:
	# setsebool -P allow_execstack 1

According to the output i'm reporting this issue.

If i use 'sudo setenforce 1', the binary dies with a segmentation fault.
The crash was reported to mozilla: https://crash-stats.mozilla.com/report/index/bp-d5b469b0-c336-43e4-b8f0-34c480180104

[~]$ gdb --args firefox-esr
GNU gdb (Debian 7.12-6+b1) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from firefox-esr...(no debugging symbols found)...done.
(gdb) set pagination off
(gdb) run
Starting program: /usr/bin/firefox-esr
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe5ff2700 (LWP 17951)]
[Thread 0x7fffe5ff2700 (LWP 17951) exited]
[New Thread 0x7fffe5ff2700 (LWP 17953)]
[New Thread 0x7fffe31ff700 (LWP 17954)]
[New Thread 0x7fffe29fe700 (LWP 17955)]
[New Thread 0x7fffe21fd700 (LWP 17956)]
[New Thread 0x7fffe17ff700 (LWP 17957)]
[New Thread 0x7fffe0ffe700 (LWP 17958)]
[New Thread 0x7fffe07fd700 (LWP 17959)]
[New Thread 0x7fffdfffc700 (LWP 17960)]
[New Thread 0x7fffdf7fb700 (LWP 17961)]
[New Thread 0x7fffdeffa700 (LWP 17962)]
[New Thread 0x7fffde7f9700 (LWP 17963)]
[New Thread 0x7fffddff8700 (LWP 17964)]
[New Thread 0x7fffdd7f7700 (LWP 17965)]
Assertion failure: addr == p, at /build/firefox-esr-Tvw8OU/firefox-esr-52.5.3esr/js/src/jit/ProcessExecutableMemory.cpp:322

Thread 1 "firefox-esr" received signal SIGSEGV, Segmentation fault.
0x00007fffeb987f78 in ?? () from /usr/lib/firefox-esr/libxul.so

-- Package-specific info:

-- Extensions information
Name: Application Update Service Helper
Location: ${PROFILE_EXTENSIONS}/aushelper at mozilla.org.xpi
Status: enabled

Name: Default theme
Location: /usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
Package: firefox-esr
Status: enabled

Name: Multi-process staged rollout
Location: ${PROFILE_EXTENSIONS}/e10srollout at mozilla.org.xpi
Status: enabled

Name: Pocket
Location: ${PROFILE_EXTENSIONS}/firefox at getpocket.com.xpi
Status: enabled

Name: Privacy Badger
Location: ${PROFILE_EXTENSIONS}/jid1-MnnxcxisBPnSXQ at jetpack.xpi
Status: enabled

Name: uBlock Origin
Location: ${PROFILE_EXTENSIONS}/uBlock0 at raymondhill.net.xpi
Status: enabled

Name: Vimperator
Location: ${PROFILE_EXTENSIONS}/vimperator at mozdev.org.xpi
Status: enabled

Name: Web Compat
Location: ${PROFILE_EXTENSIONS}/webcompat at mozilla.org.xpi
Status: enabled

-- Plugins information
Name: GNOME Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled

Name: IcedTea-Web Plugin (using IcedTea-Web 1.6.2 (1.6.2-3.1))
Location: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
Package: icedtea-8-plugin:amd64
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled


-- Addons package information
ii  firefox-esr    52.5.3esr-1  amd64        Mozilla Firefox web browser - Ext
ii  gnome-shell    3.26.2-2     amd64        graphical shell for the GNOME des
ii  icedtea-8-plug 1.6.2-3.1    amd64        web browser plugin based on OpenJ
ii  rhythmbox-plug 3.4.2-1      amd64        plugins for rhythmbox music playe

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages firefox-esr depends on:
ii  debianutils               4.8.4
ii  fontconfig                2.12.6-0.1
ii  libasound2                1.1.3-5
ii  libatk1.0-0               2.26.1-2
ii  libc6                     2.25-5
ii  libcairo-gobject2         1.15.8-3
ii  libcairo2                 1.15.8-3
ii  libdbus-1-3               1.12.2-1
ii  libdbus-glib-1-2          0.108-3
ii  libevent-2.1-6            2.1.8-stable-4
ii  libffi6                   3.2.1-7
ii  libfontconfig1            2.12.6-0.1
ii  libfreetype6              2.8.1-0.1
ii  libgcc1                   1:7.2.0-18
ii  libgdk-pixbuf2.0-0        2.36.11-1
ii  libglib2.0-0              2.54.2-5
ii  libgtk-3-0                3.22.26-2
ii  libgtk2.0-0               2.24.31-5
ii  libhunspell-1.6-0         1.6.2-1
ii  libjsoncpp1               1.7.4-3
ii  libnspr4                  2:4.16-1+b1
ii  libnss3                   2:3.34-1
ii  libpango-1.0-0            1.40.14-1
ii  libsqlite3-0              3.21.0-1
ii  libstartup-notification0  0.12-5
ii  libstdc++6                7.2.0-18
ii  libvpx4                   1.6.1-3
ii  libx11-6                  2:1.6.4-3
ii  libx11-xcb1               2:1.6.4-3
ii  libxcb-shm0               1.12-1
ii  libxcb1                   1.12-1
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.4-3
ii  libxext6                  2:1.3.3-1+b2
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1
ii  procps                    2:3.3.12-3
ii  zlib1g                    1:1.2.8.dfsg-5

firefox-esr recommends no packages.

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.004.5-3
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-6
ii  libgssapi-krb5-2       1.15.2-2
pn  mozplugger             <none>

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list