Bug 590515
Summary: | SELinux is preventing /opt/google/chrome/chrome from loading /opt/google/chrome/libffmpegsumo.so which requires text relocation. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | zhelo <manzanasconfitadas> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | andreygeorge, daddy1954, dwalsh, elaineanita1, franklin.zur, hide_lynx, irwinbw, jasandtiff, jeff.the.cook, marcosdamiann, mgrepl, monkeyboy199271, N_os0lpa-x.rjda5iS, rwdoty, timurhan87, zach.pritchard |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:40c1e151cb38745b51c0dee26a91967b97ed846d1004799b36e91d91d1d4828a | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-05-10 09:04:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
zhelo
2010-05-10 02:35:06 UTC
Please run # yum update # chcon -t textrel_shlib_t '/opt/google/chrome/libffmpegsumo.so' To make this permanent # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrom/libffmpegsumo.so' Summary: SELinux is preventing /opt/google/chrome/chrome from loading /opt/google/chrome/libffmpegsumo.so which requires text relocation. Detailed Description: The chrome application attempted to load /opt/google/chrome/libffmpegsumo.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /opt/google/chrome/libffmpegsumo.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Allowing Access: If you trust /opt/google/chrome/libffmpegsumo.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/opt/google/chrome/libffmpegsumo.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/libffmpegsumo.so'" Fix Command: chcon -t textrel_shlib_t '/opt/google/chrome/libffmpegsumo.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /opt/google/chrome/libffmpegsumo.so [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-beta-5.0.375.55-47796 Target RPM Packages google-chrome-beta-5.0.375.55-47796 Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execmod Host Name (removed) Platform Linux linux-pc 2.6.32.12-115.fc12.i686 #1 SMP Fri Apr 30 20:34:53 UTC 2010 i686 athlon Alert Count 21 First Seen Mon 24 May 2010 06:05:33 PM EDT Last Seen Wed 26 May 2010 02:25:46 PM EDT Local ID 21c64324-1828-42e7-9580-030fe4bcb9f7 Line Numbers Raw Audit Messages node=linux-pc type=AVC msg=audit(1274898346.635:23207): avc: denied { execmod } for pid=5109 comm="chrome" path="/opt/google/chrome/libffmpegsumo.so" dev=dm-0 ino=138345 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=linux-pc type=SYSCALL msg=audit(1274898346.635:23207): arch=40000003 syscall=125 success=no exit=-13 a0=dfb000 a1=140000 a2=5 a3=bff6a870 items=0 ppid=0 pid=5109 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null) execute: # yum update # restorecon -Rv /opt/google/chrome/ |