Firefox 4 Tor Browser Bundle: execstack required by libcrypto (Fedora / SELinux)
I tested the recent TBB [1] on Fedora 14 (64Bit).
SELinux on Fedora is per default in enforcing mode and the SELinux variable allow_execstack is per default off. (execstack is forbidden per default)
getsebool allow_execstack allow_execstack --> off
when starting the TBB, SELinux prevents it from starting:
In the audit.log file one can see: [...] avc: denied { execstack } [...] comm="vidalia [...]
caused by: find tor-browser_en-US/ -exec execstack -q {} ; -print 2> /dev/null |grep ^X X tor-browser_en-US/Lib/libcrypto.so X tor-browser_en-US/Lib/libcrypto.so.1.0.0
It seams that libcrypto runs fine with execstack disabled, after clearing execstack the TBB starts fine. execstack -c libcrypto.so execstack -c libcrypto.so.1.0.0
If you would ship libcrypto without execstack TBB would also run on Fedora out-of-the-box, but it is important to investigate the side effects of removing execstack on libcrypto in detail.
If libcrytpo absolutely requires execstack one could allow execstack by modifying allow_execstack but that is in general not a nice solution (weakens the entire system security) and requires root privileges.
BTW: CentOS is not affected by this issue because execstack is per default allowed there (allow_execstack --> on).