Package: selinux-policy-default Version: 2:0.2.20100524-7+squeeze1 Severity: normal
While trying to use the mozilla.debian.net version of iceweasel (15.0) with selinux in enforcing mode, it crashes with segmentation fault. If iceweasel is running when I run "setenforce 1", it crashes immediately, and if I try to start it in enforcing mode, it also segfaults. In permissive mode, iceweasel works perfectly fine. I get this in the audit log: type=AVC msg=audit(1346334646.159:5030): avc: denied { execmem } for pid=32645 comm="firefox-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1346334646.159:5030): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=32525 pid=32645 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=4294967295 comm="firefox-bin" exe="/usr/lib/xulrunner-15.0/xulrunner-stub" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1346334646.159:5031): avc: denied { execmem } for pid=32645 comm="firefox-bin" I noticed that the file context in the mozilla.fc (selinux-policy-default-src) has a hardcoded path to xulrunner 1.9.1: /usr/lib/xulrunner-1.9.1/xulrunner-stub -- gen_context(system_u:object_r:mozilla_exec_t,s0) I am not a selinux expert, but I believe this probably is at least related to the problem. I tried "chcon -t mozilla_exec_t /usr/lib/xulrunner-15.0/xulrunner-stub", but it alone did not help. Squeeze ships with iceweasel 3.5.16, but since it is so old that is almost unusable (and not really security supported) version of the mozilla browser, many Debian users want to use a more recent backported version, that depend on the xulrunner package of the same version number, i.e. currently xulrunner-15.0. Furthermore, Wheezy will ship with the 10.0 version of iceweasel and xulrunner, so while I haven't tried it myself, I'm guessing even the stock version of iceweasel might not work in a selinux enforcing machine, since the the wheezy version of selinux-policy-default has the same issue. -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (100, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.1-6.1+squeeze1 Pluggable Authentication Modules f ii libselinux1 2.0.96-1 SELinux runtime shared libraries ii libsepol1 2.0.41-1 SELinux library for manipulating b ii policycoreutils 2.0.82-3 SELinux core policy utilities ii python 2.6.6-3+squeeze7 interactive high-level object-orie Versions of packages selinux-policy-default recommends: ii checkpolicy 2.0.22-1 SELinux policy compiler ii setools 3.3.6.ds-7.2+b1 tools for Security Enhanced Linux Versions of packages selinux-policy-default suggests: pn logcheck <none> (no description available) pn syslog-summary <none> (no description available) -- Configuration Files: /etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org