Before today's upgrades to Firefox and xulrunner I got hit with something weird . . .

[Replicant10000]

I was running Firefox, went to a page on cnn.com - and all of a sudden the thing crashed on me. SELinux reported that Firefox was trying to access allow_execmem like so:

Quote:

node=TechComm type=AVC msg=audit(1249433244.696:25008): avc: denied { execmem } for pid=3548 comm="firefox" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

node=TechComm type=SYSCALL msg=audit(1249433244.696:25008): arch=c000003e syscall=10 success=no exit=1083727832 a0=7f2ac36f2000 a1=1000 a2=5 a3=7fff8060c5f0 items=0 ppid=3536 pid=3548 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib64/firefox-3.5.1/firefox" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

and running firefox -safe-mode reported :

Segmentation fault "$prog" ${1+"$@"}

in line 131 of run-mozilla.sh.

It happened a few more times with Facebook, so I deleted the .firefox directory. That didn't work, so I uninstalled FF and tried to reinstall. Installer reported the software was still there.

Just now, I upgraded to Firefox 3.5.2 with the xulrunner/taglibs packages. Problem gone.

Do I have a cause to be concerned? SELinux was running in enforcing mode the whole time - I never browse the web with it disabled - but I don't know if there was anything I missed.

Quote:

Originally Posted by Replicant10000

Do I have a cause to be concerned? SELinux was running in enforcing mode the whole time - I never browse the web with it disabled - but I don't know if there was anything I missed.

The "denied { execmem }" means SELinux successfully blocked it. To learn more about execmem see http://people.redhat.com/drepper/selinux-mem.html.

Quote:

Originally Posted by Replicant10000

I was running Firefox, went to a page on cnn.com - and all of a sudden the thing crashed on me.

Not that it matters anymore as you've posted your fix, but in my opinion it's always good to be verbose. Especially in dealing with apps like FF posting exact URI's and FF details (addons, plugins, et cetera) might speed up things.

[domg472]

Do you not have nsplugin installed/enabled?

[domg472]

So i just figured out that if you put libflashplugin.so into ~/.mozilla/plugins, that it wont run in the nsplugin_t security domain... even if you also have it in /usr/lib(64)/mozilla/plugins with a link to /usr/lib(64)/mozilla/plugins-wrapped...

You don't want to toggle allow_execmem unless you have no choice. Make flash run in nsplugin_t and if you really want it to do the execmem thing than set the nsplugin_execmem boolean (not encouraged either)

Websites that require execmem should be avoided like the flu. (like cisco.com)

[Evil_Bert]

I steer clear of all kinds of execmem like the plague, so no issues there.

But are you saying that Firefox users should always use the nswrapped version of Flash, rather than bare, in order that Flash always run in the nsplugin_t domain, even if all execmem booleans are off?

And, for "better security", should the following booleans be on or off:
- allow_unconfined_nsplugin_transition (Transition to confined nsplugin domains from unconfined user)?
- nsplugin_can_network (Allow nsplugin code to connect to unreserved ports)?


(I suppose I should read up on nsplugin_t etc., but it's very late, and it seems you probably know the answer already).

[domg472]

Quote:

And, for "better security", should the following booleans be on or off:
- allow_unconfined_nsplugin_transition (Transition to confined nsplugin domains from unconfined user)?
- nsplugin_can_network (Allow nsplugin code to connect to unreserved ports)?

I encourage people not to use the unconfined domain as a primary environment, but if you do (like most people) (fedora maps linux logins by default to the unconfined domain ), then i encourage setting the allow_unconfined_nsplugin_transition to on.

This way an unconfined user is at least protected against browser plug-ins since they will run in the nsplugin_t sandbox instead of the selinux-exempted unconfined (unrestricted/unprotected) domain.

I also encourage people to toggle nsplugin_can_network boolean to off. This way, browser plug-ins can not connect to the network using unreserved ports. Note that some plug-ins may want to do that. for example totem when you try to stream some video from for example a Microsoft media server in that case you might want to turn the boolean on.

It depends on your requirements. But its best to allow as little as possible (least privilege)

[Replicant10000]

I went through SELinux configuration and toggled most of them, including some I ended up needing like the one for gpg, to "off" before any of this ever happened so I'm sure nsplugin is not a problem. But after looking into the matter more deeply, it appears my x64 Flash player may be the culprit instead.