[DSE-Dev] Bug#686252: mozilla.pp: file context path hardcoded to xulrunner-1.9.1

Henrik Ahlgren pablo at seestieto.com
Thu Aug 30 15:14:58 UTC 2012 

Package: selinux-policy-default
Version: 2:0.2.20100524-7+squeeze1
Severity: normal


While trying to use the mozilla.debian.net version of iceweasel (15.0)
with selinux in enforcing mode, it crashes with segmentation fault.
If iceweasel is running when I run "setenforce 1", it crashes immediately,
and if I try to start it in enforcing mode, it also segfaults.

In permissive mode, iceweasel works perfectly fine.

I get this in the audit log:

type=AVC msg=audit(1346334646.159:5030): avc:  denied  { execmem } for
pid=32645 comm="firefox-bin"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
type=SYSCALL msg=audit(1346334646.159:5030): arch=c000003e syscall=9
success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=32525
pid=32645 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=4294967295
comm="firefox-bin" exe="/usr/lib/xulrunner-15.0/xulrunner-stub"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1346334646.159:5031): avc:  denied  { execmem } for
pid=32645 comm="firefox-bin"

I noticed that the file context in the mozilla.fc
(selinux-policy-default-src) has a hardcoded path to xulrunner 1.9.1:

/usr/lib/xulrunner-1.9.1/xulrunner-stub -- gen_context(system_u:object_r:mozilla_exec_t,s0)

I am not a selinux expert, but I believe this probably is at least
related to the problem. I tried "chcon -t mozilla_exec_t
/usr/lib/xulrunner-15.0/xulrunner-stub", but it alone did not help.

Squeeze ships with iceweasel 3.5.16, but since it is so old that is
almost unusable (and not really security supported) version of the
mozilla browser, many Debian users want to use a more recent backported
version, that depend on the xulrunner package of the same version number,
i.e. currently xulrunner-15.0.

Furthermore, Wheezy will ship with the 10.0 version of iceweasel and
xulrunner, so while I haven't tried it myself, I'm guessing even the
stock version of iceweasel might not work in a selinux enforcing
machine, since the the wheezy version of selinux-policy-default
has the same issue.

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (100, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules        1.1.1-6.1+squeeze1 Pluggable Authentication Modules f
ii  libselinux1           2.0.96-1           SELinux runtime shared libraries
ii  libsepol1             2.0.41-1           SELinux library for manipulating b
ii  policycoreutils       2.0.82-3           SELinux core policy utilities
ii  python                2.6.6-3+squeeze7   interactive high-level object-orie

Versions of packages selinux-policy-default recommends:
ii  checkpolicy              2.0.22-1        SELinux policy compiler
ii  setools                  3.3.6.ds-7.2+b1 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list