On 1/28/06, Jonathan Berry berryja@gmail.com wrote:
On 1/28/06, Jonathan Berry berryja@gmail.com wrote:
Hi all,
I just installed FC5T2 x86_64 to test it out. Install went smoothly and I just finished up all the updates. I seem to be having an issue with the NSS update: # grep -i nss /var/log/yum.log Jan 28 00:06:03 Updated: nss.x86_64 3.11-3 Jan 28 00:07:25 Updated: nss.i386 3.11-3 Jan 28 00:20:14 Updated: nss_ldap.i386 248-1 Jan 28 00:20:18 Updated: nss_ldap.x86_64 248-1
I have seen two symptoms of some problem thus far in Firefox and Evolution. Firefox starts with a warning that it could not initialize the security component (something to that effect) and gives some statement that it could be a file permissions problem in the profile directory. Perms look to be okay in ~/.mozilla/firefox/ and I get no SELinux or other messages. Evolution flat refuses to run. The problem is more apparent from the command line: $ evolution (evolution:3437): evolution-smime-WARNING **: Failed all methods for initializing NSS (evolution:3437): camel-WARNING **: Failed to initialize NSS
Any ideas? Time for a bugzilla entry? (probably after I sleep some...)
More information...
I just tried reinstalling the original nss pacakges and I am still having issues. Firefox gives the security warning and will not do any ssl stuff (not good!) and evolution will not start. $ rpm -qa nss{,_ldap} nss_ldap-244-2.1.x86_64 nss-3.11-2.x86_64 nss_ldap-244-2.1.i386 nss-3.11-2.i386
I've tried rebooting and even booting the original kernel and get the same results. Is anyone else seeing this?
Okay, well, I keep responding to myself...
This now seems to be related to SELinux somehow. If I issue a "setenforce 0" command, then Firefox and SSL work just fine, Evolution starts, and all is well. With enforcing disabled, when I start Firefox or Evolution, I get some "avc: granted { execmem }" messages in audit.log relating to the programs. Unfortunately, I do not get any failure or otherwise messages in audit.log when SELinux is on. FC5T2 x86_64 fully updated as of today. $ rpm -qa | grep selinux libselinux-devel-1.29.6-1.x86_64 libselinux-python-1.29.6-1.x86_64 selinux-policy-2.2.8-1.noarch selinux-policy-targeted-2.2.8-1.noarch libselinux-1.29.6-1.x86_64 libselinux-1.29.6-1.i386
Below I will post the AVC messages that I get when starting Evolution and Firefox with SELinux off. I do not get any messages with SELinux enabled (ie, enforcing). I'll also give the ls -Z output for the NSS stuff. Is no one else seeing this? Should I go ahead and bugzilla this (now that I can actually access https, heh)?
Jonathan
Lots of info follows.
$ ls -Z `rpm -ql nss` -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libfreebl3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libfreebl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libnss3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libnssckbi.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsmime3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsoftokn3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsoftokn3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libssl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libfreebl3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libfreebl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libnss3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libnssckbi.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsmime3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsoftokn3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsoftokn3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libssl3.so
$ ls -Z `rpm -ql nss_ldap` -rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf -rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf -rwxr-xr-x root root system_u:object_r:lib_t /lib64/libnss_ldap-2.3.90.so lrwxrwxrwx root root system_u:object_r:lib_t /lib64/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so -rwxr-xr-x root root system_u:object_r:lib_t /lib64/security/pam_ldap.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/libnss_ldap-2.3.90.so lrwxrwxrwx root root system_u:object_r:lib_t /lib/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/security/pam_ldap.so lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib64/libnss_ldap.so -> ../../lib64/libnss_ldap.so.2 lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libnss_ldap.so -> ../../lib/libnss_ldap.so.2 [... snip tons more files with perms: -rw-r--r-- root root system_u:object_r:usr_t]
I get the following AVC messages when starting Evolution with SELinux off: type=AVC msg=audit(1138480597.454:108): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.454:108): arch=c000003e syscall=10 success=yes exit=0 a0=7fffffce9000 a1=1000 a2=1000007 a3=4 items=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe= "/usr/bin/evolution-2.6" type=AVC msg=audit(1138480597.558:109): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.558:109): arch=c000003e syscall=9 success=yes exit=1073741824 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480597.590:110): avc: granted { execmem } for pid=3761 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.590:110): arch=c000003e syscall=9 success=yes exit=1084231680 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3761 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480597.630:111): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.630:111): arch=c000003e syscall=9 success=yes exit=1094721536 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480598.770:112): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480598.770:112): arch=c000003e syscall=9 success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480598.878:113): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480598.878:113): arch=c000003e syscall=9 success=yes exit=1115701248 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6"
I get the following AVC messages when starting Firefox with SELinux off: type=AVC msg=audit(1138480668.242:114): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:114): arch=c000003e syscall=10 success=yes exit=0 a0=7fffffa74000 a1=1000 a2=1000007 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.242:115): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:115): arch=c000003e syscall=10 success=yes exit=0 a0=41403000 a1=a00000 a2=7 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.242:116): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:116): arch=c000003e syscall=10 success=yes exit=0 a0=40a02000 a1=a00000 a2=7 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.242:117): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:117): arch=c000003e syscall=10 success=yes exit=0 a0=40001000 a1=a00000 a2=7 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.502:118): avc: granted { execmem } for pid=3803 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.502:118): arch=c000003e syscall=9 success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items=0 pid=3803 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin"
I noticed that xfs service startup is really slow on boot here.
cheers
Same here, its because it rebuilds the font lists on startup every time. Seems to add many seconds to an otherwise decent boot time :-)
Because i know i'm not adding or removing fonts any time soon i've 'fixed' xfs to: #[ -x /usr/sbin/chkfontpath ] && buildfontlist
(add the # before it to stop it from rebuilding the fontlists every boot, saves tons of time :-))
On Sat, 2006-01-28 at 22:02 +0100, Lars G wrote:
I noticed that xfs service startup is really slow on boot here.
cheers
Lars G terraformers@gmail.com
lør, 28 01 2006 kl. 22:59 +0100, skrev Chris Chabot:
Same here, its because it rebuilds the font lists on startup every time. Seems to add many seconds to an otherwise decent boot time :-)
Because i know i'm not adding or removing fonts any time soon i've 'fixed' xfs to: #[ -x /usr/sbin/chkfontpath ] && buildfontlist
(add the # before it to stop it from rebuilding the fontlists every boot, saves tons of time :-))
I thought, reading Dave Jones' blog that this was fixed as a result of his wonderful investigations into the massive insanity that seems to be going on during e.g. boot.
http://kernelslacker.livejournal.com/35270.html
Actually when i do a strace on something 'simple' as an eog i get: - 3488 fopen()'s - 4684 stat()'s
A lot of the fopens seem to be caused by the .so linker looking into a lot of places that don't even exist on my system:
open("/usr/X11R6/lib/tls/i686/sse2/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/X11R6/lib/tls/i686/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/X11R6/lib/tls/sse2/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/X11R6/lib/tls/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/X11R6/lib/i686/sse2/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/X11R6/lib/i686/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/X11R6/lib/sse2/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/X11R6/lib/libpopt.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/libpopt.so.0", O_RDONLY) = 3
If it would fopen in /usr/lib right away that would save a huge amount of the fopen calls, anyone know why it does such a thing? Would save about 700 fopen calls right away
1091 calls are for /usr/share/fonts/.... Where if i do a "find -type f | wc -l" i have only 539 files; Might be an X 'design flaw' it has to rescan this every time, but it makes having fonts quite expensive :-) I actually nuked most of my extra fonts i used to have (few hundred ttf's) to gain a littlebit of responsiveness again.
About 1288 fopen()'s lead to a ENOENT, just checking for files that _could_ exist (like those weird i686/tls/sse2 dir's and also mucho font subdirs that don't exist like "/usr/share/X11/fonts/Type1/resource.frk"), if we already know what so's we have (ld.so.cache / prelink) and we already know what fonts we have .. Why spend so much time on secondguessing it? Well thats just my feeling, not my technical insight :-)
Anyhow, no i don't think that blog post has caused everything to be changed yet no :-)
-- Chris
On Sun, 2006-01-29 at 00:52 +0100, David Nielsen wrote:
lør, 28 01 2006 kl. 22:59 +0100, skrev Chris Chabot:
Same here, its because it rebuilds the font lists on startup every time. Seems to add many seconds to an otherwise decent boot time :-)
Because i know i'm not adding or removing fonts any time soon i've 'fixed' xfs to: #[ -x /usr/sbin/chkfontpath ] && buildfontlist
(add the # before it to stop it from rebuilding the fontlists every boot, saves tons of time :-))
I thought, reading Dave Jones' blog that this was fixed as a result of his wonderful investigations into the massive insanity that seems to be going on during e.g. boot.
http://kernelslacker.livejournal.com/35270.html
-- Obligatory shameless blog plug - the GNOME commentary located at: www.lovesunix.net/blog
Jonathan Berry wrote:
On 1/28/06, Jonathan Berry berryja@gmail.com wrote:
On 1/28/06, Jonathan Berry berryja@gmail.com wrote:
setsebool -P allow_execmem=1
Hi all,
I just installed FC5T2 x86_64 to test it out. Install went smoothly and I just finished up all the updates. I seem to be having an issue with the NSS update: # grep -i nss /var/log/yum.log Jan 28 00:06:03 Updated: nss.x86_64 3.11-3 Jan 28 00:07:25 Updated: nss.i386 3.11-3 Jan 28 00:20:14 Updated: nss_ldap.i386 248-1 Jan 28 00:20:18 Updated: nss_ldap.x86_64 248-1
I have seen two symptoms of some problem thus far in Firefox and Evolution. Firefox starts with a warning that it could not initialize the security component (something to that effect) and gives some statement that it could be a file permissions problem in the profile directory. Perms look to be okay in ~/.mozilla/firefox/ and I get no SELinux or other messages. Evolution flat refuses to run. The problem is more apparent from the command line: $ evolution (evolution:3437): evolution-smime-WARNING **: Failed all methods for initializing NSS (evolution:3437): camel-WARNING **: Failed to initialize NSS
Any ideas? Time for a bugzilla entry? (probably after I sleep some...)
More information...
I just tried reinstalling the original nss pacakges and I am still having issues. Firefox gives the security warning and will not do any ssl stuff (not good!) and evolution will not start. $ rpm -qa nss{,_ldap} nss_ldap-244-2.1.x86_64 nss-3.11-2.x86_64 nss_ldap-244-2.1.i386 nss-3.11-2.i386
I've tried rebooting and even booting the original kernel and get the same results. Is anyone else seeing this?
Okay, well, I keep responding to myself...
This now seems to be related to SELinux somehow. If I issue a "setenforce 0" command, then Firefox and SSL work just fine, Evolution starts, and all is well. With enforcing disabled, when I start Firefox or Evolution, I get some "avc: granted { execmem }" messages in audit.log relating to the programs. Unfortunately, I do not get any failure or otherwise messages in audit.log when SELinux is on. FC5T2 x86_64 fully updated as of today. $ rpm -qa | grep selinux libselinux-devel-1.29.6-1.x86_64 libselinux-python-1.29.6-1.x86_64 selinux-policy-2.2.8-1.noarch selinux-policy-targeted-2.2.8-1.noarch libselinux-1.29.6-1.x86_64 libselinux-1.29.6-1.i386
Below I will post the AVC messages that I get when starting Evolution and Firefox with SELinux off. I do not get any messages with SELinux enabled (ie, enforcing). I'll also give the ls -Z output for the NSS stuff. Is no one else seeing this? Should I go ahead and bugzilla this (now that I can actually access https, heh)?
Jonathan
Lots of info follows.
$ ls -Z `rpm -ql nss` -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libfreebl3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libfreebl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libnss3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libnssckbi.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsmime3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsoftokn3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libsoftokn3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib64/libssl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libfreebl3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libfreebl3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libnss3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libnssckbi.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsmime3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsoftokn3.chk -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libsoftokn3.so -rw-r--r-- root root system_u:object_r:lib_t /usr/lib/libssl3.so
$ ls -Z `rpm -ql nss_ldap` -rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf -rw-r--r-- root root system_u:object_r:etc_t /etc/ldap.conf -rwxr-xr-x root root system_u:object_r:lib_t /lib64/libnss_ldap-2.3.90.so lrwxrwxrwx root root system_u:object_r:lib_t /lib64/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so -rwxr-xr-x root root system_u:object_r:lib_t /lib64/security/pam_ldap.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/libnss_ldap-2.3.90.so lrwxrwxrwx root root system_u:object_r:lib_t /lib/libnss_ldap.so.2 -> libnss_ldap-2.3.90.so -rwxr-xr-x root root system_u:object_r:lib_t /lib/security/pam_ldap.so lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib64/libnss_ldap.so -> ../../lib64/libnss_ldap.so.2 lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libnss_ldap.so -> ../../lib/libnss_ldap.so.2 [... snip tons more files with perms: -rw-r--r-- root root system_u:object_r:usr_t]
I get the following AVC messages when starting Evolution with SELinux off: type=AVC msg=audit(1138480597.454:108): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.454:108): arch=c000003e syscall=10 success=yes exit=0 a0=7fffffce9000 a1=1000 a2=1000007 a3=4 items=0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe= "/usr/bin/evolution-2.6" type=AVC msg=audit(1138480597.558:109): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.558:109): arch=c000003e syscall=9 success=yes exit=1073741824 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480597.590:110): avc: granted { execmem } for pid=3761 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.590:110): arch=c000003e syscall=9 success=yes exit=1084231680 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3761 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480597.630:111): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480597.630:111): arch=c000003e syscall=9 success=yes exit=1094721536 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480598.770:112): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480598.770:112): arch=c000003e syscall=9 success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6" type=AVC msg=audit(1138480598.878:113): avc: granted { execmem } for pid=3745 comm="evolution" scontext=user_u:system_r:unco nfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480598.878:113): arch=c000003e syscall=9 success=yes exit=1115701248 a0=0 a1=a01000 a2=7 a3=62 items =0 pid=3745 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="evolution" exe="/usr/ bin/evolution-2.6"
I get the following AVC messages when starting Firefox with SELinux off: type=AVC msg=audit(1138480668.242:114): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:114): arch=c000003e syscall=10 success=yes exit=0 a0=7fffffa74000 a1=1000 a2=1000007 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.242:115): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:115): arch=c000003e syscall=10 success=yes exit=0 a0=41403000 a1=a00000 a2=7 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.242:116): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:116): arch=c000003e syscall=10 success=yes exit=0 a0=40a02000 a1=a00000 a2=7 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.242:117): avc: granted { execmem } for pid=3802 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.242:117): arch=c000003e syscall=10 success=yes exit=0 a0=40001000 a1=a00000 a2=7 a3=4 items=0 pid=3802 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin" type=AVC msg=audit(1138480668.502:118): avc: granted { execmem } for pid=3803 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1138480668.502:118): arch=c000003e syscall=9 success=yes exit=1105211392 a0=0 a1=a01000 a2=7 a3=62 items=0 pid=3803 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="firefox-bin" exe="/usr/lib64/firefox-1.5/firefox-bin"
On 1/31/06, Daniel J Walsh dwalsh@redhat.com wrote:
setsebool -P allow_execmem=1
This allows Evolution to run, but Firefox still complains about not being able to do the security stuff. Still need to setenforce 0 to access https. Besides, this seems like a rather far reaching "fix." Not that I'm exactly sure what exactly it does....
Jonathan
Jonathan Berry wrote:
On 1/31/06, Daniel J Walsh dwalsh@redhat.com wrote:
setsebool -P allow_execmem=1
This allows Evolution to run, but Firefox still complains about not being able to do the security stuff. Still need to setenforce 0 to access https. Besides, this seems like a rather far reaching "fix." Not that I'm exactly sure what exactly it does....
Jonathan
Rereading your posts. Are you sure this is an SELinux problem? If you setenforce 0, does firefox/evolution work?
On 2/6/06, Daniel J Walsh dwalsh@redhat.com wrote:
Jonathan Berry wrote:
On 1/31/06, Daniel J Walsh dwalsh@redhat.com wrote:
setsebool -P allow_execmem=1
This allows Evolution to run, but Firefox still complains about not being able to do the security stuff. Still need to setenforce 0 to access https. Besides, this seems like a rather far reaching "fix." Not that I'm exactly sure what exactly it does....
Jonathan
Rereading your posts. Are you sure this is an SELinux problem? If you setenforce 0, does firefox/evolution work?
Sorry for the lag. Well, it seems related to SELinux at least as, yes, setenforce 0 allows Firefox and Evolution work. Firefox will run with setenforce 1, but cannot do anything related to SSL. Evolution refuses to start because of it. I'm still seeing this problem.
Jonathan
Jonathan Berry wrote:
On 2/6/06, Daniel J Walsh dwalsh@redhat.com wrote:
Jonathan Berry wrote:
On 1/31/06, Daniel J Walsh dwalsh@redhat.com wrote:
setsebool -P allow_execmem=1
This allows Evolution to run, but Firefox still complains about not being able to do the security stuff. Still need to setenforce 0 to access https. Besides, this seems like a rather far reaching "fix." Not that I'm exactly sure what exactly it does....
Jonathan
Rereading your posts. Are you sure this is an SELinux problem? If you setenforce 0, does firefox/evolution work?
Sorry for the lag. Well, it seems related to SELinux at least as, yes, setenforce 0 allows Firefox and Evolution work. Firefox will run with setenforce 1, but cannot do anything related to SSL. Evolution refuses to start because of it. I'm still seeing this problem.
Jonathan
Try setsebool -P allow_execstack=1
On 2/13/06, Daniel J Walsh dwalsh@redhat.com wrote: [snip]
Try setsebool -P allow_execstack=1
Yes, this allows both Firefox and Evolution to start up normally. What exactly does this do? Doesn't appear to be a very security conscious fix. Does this just mean that NSS needs an executable stack and wasn't given one?
Jonathan
Jonathan Berry wrote:
On 2/13/06, Daniel J Walsh dwalsh@redhat.com wrote: [snip]
Try setsebool -P allow_execstack=1
Yes, this allows both Firefox and Evolution to start up normally. What exactly does this do? Doesn't appear to be a very security conscious fix. Does this just mean that NSS needs an executable stack and wasn't given one?
Jonathan
Yes. We are investigating why it needs an executable stack.
Looks like this is an initialization thing. So after the first time you can turn it off. Although I think flash player needs it too.
Dan
On 2/15/06, Daniel J Walsh dwalsh@redhat.com wrote:
Jonathan Berry wrote:
On 2/13/06, Daniel J Walsh dwalsh@redhat.com wrote: [snip]
Try setsebool -P allow_execstack=1
Yes, this allows both Firefox and Evolution to start up normally. What exactly does this do? Doesn't appear to be a very security conscious fix. Does this just mean that NSS needs an executable stack and wasn't given one?
Jonathan
Yes. We are investigating why it needs an executable stack.
Looks like this is an initialization thing. So after the first time you can turn it off. Although I think flash player needs it too.
After installing Core 5 Test 3, I am not seeing any more issues with this. In fact, I had not in my Test 2 (and updates) install after running the above command, but I was not sure if something got fixed or if the command just "stuck." It seems the -P writes the setting to file, but I do not remember completely. I cannot check that since I cannot seem to get a man page for setsebool, even though it is mentioned in the selinux man page. $ man setsebool No manual entry for setsebool Is something wrong here? From "man selinux": SEE ALSO booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restore-
Jonathan
-
Chris Chabot -
Daniel J Walsh -
David Nielsen -
Jonathan Berry -
Lars G