Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 5th August 2009, 05:03 AM
Replicant10000 Offline
Registered User
 
Join Date: Jul 2009
Location: Tennessee
Posts: 147
linuxfedorafirefox
Before today's upgrades to Firefox and xulrunner I got hit with something weird . . .

I was running Firefox, went to a page on cnn.com - and all of a sudden the thing crashed on me. SELinux reported that Firefox was trying to access allow_execmem like so:

Quote:
node=TechComm type=AVC msg=audit(1249433244.696:25008): avc: denied { execmem } for pid=3548 comm="firefox" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

node=TechComm type=SYSCALL msg=audit(1249433244.696:25008): arch=c000003e syscall=10 success=no exit=1083727832 a0=7f2ac36f2000 a1=1000 a2=5 a3=7fff8060c5f0 items=0 ppid=3536 pid=3548 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib64/firefox-3.5.1/firefox" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
and running firefox -safe-mode reported :

Segmentation fault "$prog" ${1+"$@"}

in line 131 of run-mozilla.sh.

It happened a few more times with Facebook, so I deleted the .firefox directory. That didn't work, so I uninstalled FF and tried to reinstall. Installer reported the software was still there.

Just now, I upgraded to Firefox 3.5.2 with the xulrunner/taglibs packages. Problem gone.

Do I have a cause to be concerned? SELinux was running in enforcing mode the whole time - I never browse the web with it disabled - but I don't know if there was anything I missed.

Last edited by Replicant10000; 5th August 2009 at 05:08 AM.
Reply With Quote
  #2  
Old 11th August 2009, 01:12 PM
unSpawn
Guest
 
Posts: n/a
linuxopera
Quote:
Originally Posted by Replicant10000 View Post
Do I have a cause to be concerned? SELinux was running in enforcing mode the whole time - I never browse the web with it disabled - but I don't know if there was anything I missed.
The "denied { execmem }" means SELinux successfully blocked it. To learn more about execmem see http://people.redhat.com/drepper/selinux-mem.html.


Quote:
Originally Posted by Replicant10000 View Post
I was running Firefox, went to a page on cnn.com - and all of a sudden the thing crashed on me.
Not that it matters anymore as you've posted your fix, but in my opinion it's always good to be verbose. Especially in dealing with apps like FF posting exact URI's and FF details (addons, plugins, et cetera) might speed up things.
Reply With Quote
  #3  
Old 11th August 2009, 01:58 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
Do you not have nsplugin installed/enabled?
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
  #4  
Old 12th August 2009, 02:01 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
So i just figured out that if you put libflashplugin.so into ~/.mozilla/plugins, that it wont run in the nsplugin_t security domain... even if you also have it in /usr/lib(64)/mozilla/plugins with a link to /usr/lib(64)/mozilla/plugins-wrapped...

You don't want to toggle allow_execmem unless you have no choice. Make flash run in nsplugin_t and if you really want it to do the execmem thing than set the nsplugin_execmem boolean (not encouraged either)

Websites that require execmem should be avoided like the flu. (like cisco.com)
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
  #5  
Old 12th August 2009, 05:27 PM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: 'straya
Posts: 3,283
linuxfedorafirefox
I steer clear of all kinds of execmem like the plague, so no issues there.

But are you saying that Firefox users should always use the nswrapped version of Flash, rather than bare, in order that Flash always run in the nsplugin_t domain, even if all execmem booleans are off?

And, for "better security", should the following booleans be on or off:
- allow_unconfined_nsplugin_transition (Transition to confined nsplugin domains from unconfined user)?
- nsplugin_can_network (Allow nsplugin code to connect to unreserved ports)?


(I suppose I should read up on nsplugin_t etc., but it's very late, and it seems you probably know the answer already).
__________________
Marching to the beat of his own conundrum.
Reply With Quote
  #6  
Old 12th August 2009, 07:20 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfedorafirefox
Quote:
And, for "better security", should the following booleans be on or off:
- allow_unconfined_nsplugin_transition (Transition to confined nsplugin domains from unconfined user)?
- nsplugin_can_network (Allow nsplugin code to connect to unreserved ports)?
I encourage people not to use the unconfined domain as a primary environment, but if you do (like most people) (fedora maps linux logins by default to the unconfined domain ), then i encourage setting the allow_unconfined_nsplugin_transition to on.

This way an unconfined user is at least protected against browser plug-ins since they will run in the nsplugin_t sandbox instead of the selinux-exempted unconfined (unrestricted/unprotected) domain.

I also encourage people to toggle nsplugin_can_network boolean to off. This way, browser plug-ins can not connect to the network using unreserved ports. Note that some plug-ins may want to do that. for example totem when you try to stream some video from for example a Microsoft media server in that case you might want to turn the boolean on.

It depends on your requirements. But its best to allow as little as possible (least privilege)
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
  #7  
Old 12th August 2009, 11:45 PM
Replicant10000 Offline
Registered User
 
Join Date: Jul 2009
Location: Tennessee
Posts: 147
linuxfedorafirefox
I went through SELinux configuration and toggled most of them, including some I ended up needing like the one for gpg, to "off" before any of this ever happened so I'm sure nsplugin is not a problem. But after looking into the matter more deeply, it appears my x64 Flash player may be the culprit instead.
Reply With Quote
Reply

Tags
firefox, hit, today, upgrades, weird, xulrunner

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Compiling Firefox and Xulrunner funnylife_ma Using Fedora 1 27th June 2009 04:30 PM
Weird Firefox error ajamison Using Fedora 2 14th August 2008 05:58 PM
XULRunner for x86_64 daves2357 Using Fedora 7 22nd July 2008 05:45 PM
yum update wants to install i386 apps (related to xulrunner?) kayvan Using Fedora 5 21st July 2008 04:32 PM


Current GMT-time: 18:17 (Wednesday, 01-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat