Bug 717417

Summary: SELinux is preventing /opt/google/chrome/chrome from 'execmod' accesses on the file /opt/google/chrome/chrome.
Product: [Fedora] Fedora Reporter: edo <edosurina>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: aaron.lippold, agarwal.priyanshu, akashangle, aktigger99645, alexhultman, andremontes, babaj96, beland, bignikita, brucevannorman, chris, cnt_stud_km, denvorhu, dfillion, dicconspain, dominick.grift, dwalsh, eck3ko, florian.fahr, grantvirtue, haildmitry, hemendra.bhardwaj, hornickel, jlbouras, jnalley, jp.grossglauser, julroy67, kb6tal, liakosmath, lordkenan, maidenleo2000, mgrepl, mike.roussin, mikhail.v.gavrilov, milan.kerslager, msava, naoki, netovs, nimilsoman, N_os0lpa-x.rjda5iS, nouveau, old.uncle.z, palango, paulogomes.rep, pierrehar, pristy.site, puglieseweb, rbanks1959, rgs, rithmns, rivasilvercrown, rlhankins, rochieng2000, santiago.lunar.m, shiv, shiyamhoda, shnurapet, simone.roz, slivkam, taviso, TEbbecke, ubek1, wvdijk, yeti.daemon, younissf, zeroseven0183
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:4a28768c05e40eac1fea0b14a342e5349494c2d2fcf9abbce890cfba9f150f52
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-29 12:58:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description edo 2011-06-28 19:23:42 UTC 
SELinux is preventing /opt/google/chrome/chrome from 'execmod' accesses on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           google-chrome-unstable-14.0.803.0-90483
Target RPM Packages           google-chrome-unstable-14.0.803.0-90483
Policy RPM                    selinux-policy-3.9.16-30.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05
                              UTC 2011 x86_64 x86_64
Alert Count                   25
First Seen                    Ut 28. jún 2011, 14:36:35 CEST
Last Seen                     Ut 28. jún 2011, 21:16:43 CEST
Local ID                      05df6fb7-04e9-4c11-9313-d757417fc4bb

Raw Audit Messages
type=AVC msg=audit(1309288603.174:60): avc:  denied  { execmod } for  pid=2496 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-0 ino=1835050 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1309288603.174:60): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f07539e0000 a1=368e000 a2=5 a3=7f0753ef32c8 items=0 ppid=0 pid=2496 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;
Comment 1 Daniel Walsh 2011-06-29 12:58:06 UTC 
You are going to need to load a custom policy module for this, as this is clearly not built correctly.

Have you tried the version built for Fedora?

http://fedoraproject.org/wiki/Chromium

# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 Christopher Beland 2011-09-04 03:52:00 UTC 
Bug 730179 has been opened on the same issue and seems to be actionable.