[DSE-User] firefox-bin: avc: denied { execmem }
Frank Lin PIAT
fpiat at klabs.be
Fri May 15 11:21:29 UTC 2009
Hello,
,--[ Intro ]--
| I have been interested in SELinux for a long time, but never
| really played/used it. I am finally feeling like using it.
|
| I would like not only to learn it, but also document and share
| experiences. Typically, I think it would be nice to discuss avc
| error messages. If other ML member confirm the bug can be reproduce
| on their systems, and it would worth adding to the "SELinux/Notes"
| wiki pages, file bugs, update the policy...
`------------------------
Here's a first try:
OS: Debian Lenny 5.0.1 + s-p-u
Policy: targeted
Enforce: No
Every few hours, I have the following error message (processed with
audit2why):
> kernel: type=1400 audit(1242378907.724:10730):
> avc: denied { execmem } for pid=32395 comm="firefox-bin"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
> tclass=process
>
> Was caused by:
> One of the following booleans was set incorrectly.
> Description:
> allow_execstack
>
> Allow access by executing:
> # setsebool -P allow_execstack 1
> Description:
> allow_execmem
>
> Allow access by executing:
> # setsebool -P allow_execmem 1
On my system:
#getsebool allow_execmem allow_execmod allow_execstack
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off
Based on the report https://bugzilla.redhat.com/show_bug.cgi?id=432198
we could use :
chcon -t unconfined_execmem_exec_t /usr/lib/iceweasel/firefox-bin
Note:
ls -Z $(readlink $(which iceweasel) -f)
system_u:object_r:lib_t:s0 /usr/lib/iceweasel/iceweasel
which calls /usr/lib/iceweasel/firefox-bin
ls -Z $(readlink /usr/lib/iceweasel/firefox-bin -f)
system_u:object_r:lib_t:s0 /usr/lib/xulrunner-1.9/xulrunner-stub
* How can I know what the context ("lib_t") means?
* How can I know if it's due to a plugin (flashplugin & co) ?
(Without having to disable all the plugins and wait for hours !)
* Obviously, relaxing xulrunner's security will relax other XUL
applications' security (but I can't think of any XUL application
that would be more exposed that a web browser anyway).
Franklin
BTW, Redhat seems to have a tool to prepare "Additional Information:"
for reports, Do we have something similar in Lenny.
More information about the Selinux-user
mailing list