[tor-bugs] #2901 [Tor bundles/installation]: Firefox 4 Tor Browser Bundle: execstack required by libcrypto (Fedora / SELinux)

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Apr 12 17:10:41 UTC 2011 

#2901: Firefox 4 Tor Browser Bundle: execstack required by libcrypto (Fedora /
SELinux)
--------------------------------------+-------------------------------------
 Reporter:  tagnaq                    |          Owner:  erinn
     Type:  defect                    |         Status:  new  
 Priority:  normal                    |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------
 I tested the recent TBB [1] on Fedora 14 (64Bit).

 SELinux on Fedora is per default in enforcing mode and the SELinux
 variable allow_execstack is per default off. (execstack is forbidden per
 default)

 getsebool allow_execstack
 allow_execstack --> off

 when starting the TBB, SELinux prevents it from starting:

 In the audit.log file one can see:
 [...] avc:  denied  { execstack } [...] comm="vidalia [...]

 caused by:
 find tor-browser_en-US/ -exec execstack -q {} \; -print 2> /dev/null |grep
 ^X
 X tor-browser_en-US/Lib/libcrypto.so
 X tor-browser_en-US/Lib/libcrypto.so.1.0.0

 It _seams_ that libcrypto runs fine with execstack disabled,
 after clearing execstack the TBB starts fine.
 execstack -c libcrypto.so
 execstack -c libcrypto.so.1.0.0

 If you would ship libcrypto without execstack TBB would also run on Fedora
 out-of-the-box, but it is important to investigate the side effects of
 removing execstack on libcrypto in detail.

 If libcrytpo absolutely requires execstack one could allow execstack by
 modifying allow_execstack but that is in general not a nice solution
 (weakens the entire system security) and requires root privileges.

 [1] https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-
 linux-x86_64-2.2.23-1-alpha-en-US.tar.gz

 BTW: CentOS is not affected by this issue because execstack is per default
 allowed there (allow_execstack --> on).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2901>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list