#442 Firefox and SELinux - bug 597858
Closed None Opened 13 years ago by mattmccutchen.

Firefox fails to start under the current SELinux policy for F14. This is [https://bugzilla.redhat.com/show_bug.cgi?id=597858 bug 597858], an accepted F14 Alpha blocker. A patch to Firefox has been available for a month, but AIUI Fedora cannot ship a branded version of Firefox with the patch until it is approved by upstream, and that process is stalled with no sign of when it might continue.

I'm asking FESCo to decide what to do for F14 Alpha to avoid holding up the entire release schedule, and also to prepare for the possibility that the situation is still unresolved by the F14 release. It seems the options would be to remove the trademarks (full disclosure: I want this anyway, see [https://bugzilla.redhat.com/show_bug.cgi?id=582784 bug 592784]) or to revert to the looser SELinux policy again, which would be a disappointment.


thanks for filing this ticket, Matt.

A few additional nuggets. In case anyone's running F14/Rawhide and wondering why they don't see this, it affects only i686; x86-64 is unaffected.

Upstream bug is https://bugzilla.mozilla.org/show_bug.cgi?id=506693 . As Matt says, a patch has been submitted there, but it is stalled. We've been told Mozilla needs to make a determination whether they'll accept it, and we were asked for a real-world potential attack scenario to justify the SELinux policy (which Martin Stránský provided), but there's no clear indication of who can take that decision, what grounds they'll make it on, or when it might happen.

Note that this is not really a new thing. Every so often, the policy is flipped in rawhide, and therefore firefox breaks. We always end up flipping the policy back for final release. (Note that there are, IIRC, a couple of other apps affected by this.)

Have you ever considered that these application aren't being fixed because we constantly work around the actual problem?

We need some kind of policy in place on how to treat these application like for instance how long should we work around them in SELinux before taking x actions?

For the record this particular problem with FF was present on our F12 alpha blocker.

It's questionable that upstream will apply the patch in place.

From [1]

"Before we take this patch, I want us to be clear on the security benefits we're
going to get. Please, no sermonizing on "privileges" and "rights".

What attacks does this patch prevent, and which ones does it leave open? Let's
make the trade-offs extremely clear, so we have a record of our decision, if
nothing else."

I guess their running in circles waiting for Ulrich to give them a working exploits and a book about pros and cons that go with those exploits??

I think it should be considered to find a replacement application for those apps and especially for those that are exposed directly to internet.

It simply is wrong to constantly be loosing up selinux rules while we should be tightening them.

As I see it this should be solved in FF( Perhaps it is with FF4? ) before F14 final if not we remove the trademarks or drop FF as the default browser and find one that does not suffer from this.

It's not like there is any shortage of alternative web browsers out there.

What's the purpose of having SELinux if we workaround the things it's supposed to protect us from in the first place?

  1. https://bugzilla.mozilla.org/show_bug.cgi?id=506693#c99

Removing the trademark from Firefox is 100% irrelevant. Irregardless of the trademarks, it is completely irresponsible on our part to force such an intrusive patch into our package. Upstream is well within reason to question such a patch to a very critical piece of the codebase. Just because it has some benefit does not mean it is a low-risk patch. Martin and I as well as a few others currently are working with upstream trying to resolve this, and I appreciate your support for this issue but freaking out and filing strong-arm scare-tactic requests like this does not really help.

Replying to [comment:5 caillon]:

Irregardless of the trademarks, it is completely irresponsible on our part to force such an intrusive patch into our package.

Let me step back and ask: is the patch important enough to merit devoting the effort to vet it and maintain it in Fedora without help from upstream? This is something to be debated between you and Ulrich Drepper, and for FESCo to decide if necessary. But the idea that Fedora is incapable of acting independently is a fallacy that is harmful to our interests.

Removing the trademark from Firefox is 100% irrelevant.

I don't think it is. If there were no trademark, the patched version could have been pushed to rawhide and we could have spent the last month testing it. But the trademark makes that kind of effort moot.

Replying to [comment:4 johannbg]:

or drop FF as the default browser and find one that does not suffer from this.

I wouldn't recommend that. Branded or not, the Mozilla browser is still the most mature and full-featured browser currently available. In particular, please don't adopt a default browser that doesn't validate SSL certificates, such as Epiphany ([https://lists.fedoraproject.org/pipermail/devel/2010-April/135267.html previous discussion]).

Closing. If you have any new proposal for FESCo to discuss about, please reopen and add the meeting keyword.

Login to comment on this ticket.

Metadata