[DSE-User] firefox-bin: avc: denied { execmem }

Frank Lin PIAT fpiat at klabs.be
Fri May 15 11:21:29 UTC 2009 

Hello,

,--[ Intro ]--
| I have been interested in SELinux for a long time, but never 
| really played/used it. I am finally feeling like using it.
| 
| I would like not only to learn it, but also document and share 
| experiences. Typically, I think it would be nice to discuss avc
| error messages. If other ML member confirm the bug can be reproduce
| on their systems, and it would worth adding to the "SELinux/Notes"
| wiki pages, file bugs, update the policy...
`------------------------

Here's a first try:

OS: Debian Lenny 5.0.1 + s-p-u
Policy: targeted
Enforce: No

Every few hours, I have the following error message (processed with
audit2why):
> kernel: type=1400 audit(1242378907.724:10730): 
>   avc:  denied  { execmem } for  pid=32395 comm="firefox-bin"
>   scontext=unconfined_u:unconfined_r:unconfined_t:s0
>   tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>   tclass=process
> 
>         Was caused by:
>         One of the following booleans was set incorrectly.
>         Description:
>         allow_execstack
> 
>         Allow access by executing:
>         # setsebool -P allow_execstack 1
>         Description:
>         allow_execmem
> 
>         Allow access by executing:
>         # setsebool -P allow_execmem 1

On my system:
 #getsebool  allow_execmem allow_execmod allow_execstack
 allow_execmem --> off
 allow_execmod --> off
 allow_execstack --> off

Based on the report https://bugzilla.redhat.com/show_bug.cgi?id=432198 
we could use :
  chcon -t unconfined_execmem_exec_t /usr/lib/iceweasel/firefox-bin

Note:
 ls -Z $(readlink  $(which iceweasel) -f)
 system_u:object_r:lib_t:s0 /usr/lib/iceweasel/iceweasel

 which calls /usr/lib/iceweasel/firefox-bin

 ls -Z $(readlink /usr/lib/iceweasel/firefox-bin -f)
 system_u:object_r:lib_t:s0 /usr/lib/xulrunner-1.9/xulrunner-stub

* How can I know what the context ("lib_t") means?
* How can I know if it's due to a plugin (flashplugin & co) ?
  (Without having to disable all the plugins and wait for hours !)
* Obviously, relaxing xulrunner's security will relax other XUL
  applications' security (but I can't think of any XUL application
  that would be more exposed that a web browser anyway).

Franklin

BTW, Redhat seems to have a tool to prepare "Additional Information:"
for reports, Do we have something similar in Lenny.

More information about the Selinux-user mailing list