Bug 730179
Summary: | SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | GoinEasy9 <GoinEasy9> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 15 | CC: | akos.ladanyi, amoroso, anto.trande, castromd, church.jacob, cmarcant, dominick.grift, dwalsh, jim, julroy67, mgrepl, req1348, samuel-rhbugs | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.9.16-48.fc15 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 735786 (view as bug list) | Environment: | |||||
Last Closed: | 2011-12-04 02:34:02 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 735786 | ||||||
Attachments: |
|
Description
GoinEasy9
2011-08-12 03:19:00 UTC
Please inlcude the AVC data? Sorry, I thought I copied the whole thing: Raw Audit Messages type=AVC msg=audit(1313201544.117:85): avc: denied { execmod } for pid=2527 comm="chrome" path="/opt/google/chrome/chrome" dev=sda2 ino=6291521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1313201544.117:85): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4684000 a1=31e9000 a2=5 a3=bfad2be0 items=0 ppid=0 pid=2527 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow It is very strange to see an executable requiring execmod privs, these are usually shared libraries. Miroslav I added the allow rules for this to F16. execmem_execmod(chrome_sandbox_t) *** Bug 730406 has been marked as a duplicate of this bug. *** Will the rule be added to F15, or should I manually adjust it? Have you determined the reason for the AVC error yet? Yes, added to selinux-policy-3.9.16-39.fc15 Has the updated selinux-policy-3.9.16-39.fc15 been deployed? It hasn't shown up on my up to date Fedora 15 box yet. I still have selinux-policy-3.9.16-35.fc15. I got a couple of update batches with dozens of packages since selinux-policy was fixed, but not selinux-policy-3.9.16-39.fc15 selinux-policy-3.9.16-38.fc15 is is testing now, so you fix will be in the next testing push. Created attachment 521356 [details]
SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386
FYI, I am having the same problem on Fedora 14. SELinux problem report attached.
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback). I've got the latest update installed, but it's not fixed for me at least, I'm still getting a denial. What denial? I'm getting this AVC denial : SELinux is preventing /opt/google/chrome/chrome from execmod access on the fichier /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confiance) suggéré************************** Sivous souhaitez autoriser chrome à accéder à execmod sur chrome file Alorsyou need to change the label on '/opt/google/chrome/chrome' Faire # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confiance) suggéré******************************* Siyou believe that chrome should be allowed execmod access on the chrome file by default. Alorsyou should report this as a bug. You can generate a local policy module to allow this access. Faire allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Contexte source unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Contexte cible system_u:object_r:execmem_exec_t:s0 Objets du contexte /opt/google/chrome/chrome [ file ] Source chrome Chemin de la source /opt/google/chrome/chrome Port <Inconnu> Hôte eeepc Paquetages RPM source google-chrome-stable-14.0.835.163-101024 Paquetages RPM cible google-chrome-stable-14.0.835.163-101024 RPM de la statégie selinux-policy-3.9.16-39.fc15 Selinux activé True Type de stratégie targeted Mode strict Enforcing Nom de l'hôte eeepc Plateforme Linux eeepc 2.6.40.4-5.fc15.i686 #1 SMP Tue Aug 30 14:54:41 UTC 2011 i686 i686 Compteur d'alertes 1 Première alerte sam. 17 sept. 2011 14:23:04 CEST Dernière alerte sam. 17 sept. 2011 14:23:04 CEST ID local 5ae8a748-7773-4b37-8e65-44f8563e73db Messages d'audit bruts type=AVC msg=audit(1316262184.284:757): avc: denied { execmod } for pid=8910 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=1053844 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316262184.284:757): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4702000 a1=31fd000 a2=5 a3=bfa4af50 items=0 ppid=0 pid=8910 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=15 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; I believe this is fixed in the latest policy. yum -y update selinux-policy --enablerepo=updates-testing I don't think the latest version quite fixes this completely. I updated to the version in updates-testing: # rpm -q selinux-policy selinux-policy-3.9.16-39.fc15.noarch but I still get a related AVC denial when trying to launch chrome: # ausearch -m AVC -ts recent ---- time->Mon Sep 19 13:50:54 2011 type=SYSCALL msg=audit(1316454654.308:68): arch=40000003 syscall=125 success=no exit=-13 a0=b4513000 a1=31fd000 a2=5 a3=bffaaaa0 items=0 ppid=0 pid=2281 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316454654.308:68): avc: denied { execmod } for pid=2281 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file ---- Could you try to install the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146 Still looks very similar with the -40 package from koji: Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host cmarcant-linuxbook Source RPM Packages google-chrome-stable-14.0.835.163-101024 Target RPM Packages google-chrome-stable-14.0.835.163-101024 Policy RPM selinux-policy-3.9.16-40.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <redacted> Platform Linux <redacted> 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 15 First Seen Mon 19 Sep 2011 01:09:29 PM EDT Last Seen Tue 20 Sep 2011 08:28:56 AM EDT Local ID 2c6839da-9c53-4b8f-b360-c5b4aa89edfa Raw Audit Messages type=AVC msg=audit(1316521736.390:1035): avc: denied { execmod } for pid=18845 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316521736.390:1035): arch=i386 syscall=mprotect success=no exit=EACCES a0=b465e000 a1=31fd000 a2=5 a3=bfa4b800 items=0 ppid=0 pid=18845 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. I did a brand new f15 install today with selinux-policy-3.9.16-39.fc15 and I'm still having the same problem. SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host kazuya Source RPM Packages google-chrome-stable-14.0.835.202-103287 Target RPM Packages google-chrome-stable-14.0.835.202-103287 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name kazuya Platform Linux kazuya 2.6.40.6-0.fc15.i686.PAE #1 SMP Tue Oct 4 00:44:38 UTC 2011 i686 i686 Alert Count 1 First Seen Thu 06 Oct 2011 05:47:07 PM PDT Last Seen Thu 06 Oct 2011 05:47:07 PM PDT Local ID de8da826-2bdc-4df4-a988-48f626b061a5 Raw Audit Messages type=AVC msg=audit(1317948427.878:61): avc: denied { execmod } for pid=2581 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=2105964 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1317948427.878:61): arch=i386 syscall=mprotect success=no exit=EACCES a0=b451c000 a1=31ff000 a2=5 a3=bfcbeab0 items=0 ppid=0 pid=2581 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; Could you try to install the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146 It was closed by Update System. And what's the command I need to run to install that latest policy from koji? # su -c 'rpm -Uvh http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.9.16/42.fc15/noarch/selinux-policy-3.9.16-42.fc15.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.9.16/42.fc15/noarch/selinux-policy-targeted-3.9.16-42.fc15.noarch.rpm' Thanks Miroslav. That works. Previous package from koji (3.9.16-40.fc15) did not solve this issue for me. However, the latest package posted and linked above in Comment 23 (3.9.16-42.fc15) does seem to be working for me. I don't see any more AVC denials related to this BZ after upgrading to that. 3.9.16-42 worked for me too. I too couldn't get it working until I applied the RPMs in Comment 23. (Maybe I misunderstood something, but I couldn't use the command-line as written; I had to download the RPMs and install them from local files.) selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15 Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |