Bug 730179
| Summary: | SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | GoinEasy9 <GoinEasy9> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 15 | CC: | akos.ladanyi, amoroso, anto.trande, castromd, church.jacob, cmarcant, dominick.grift, dwalsh, jim, julroy67, mgrepl, req1348, samuel-rhbugs | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.9.16-48.fc15 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 735786 (view as bug list) | Environment: | |||||
| Last Closed: | 2011-12-04 02:34:02 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 735786 | ||||||
| Attachments: |
|
||||||
Please inlcude the AVC data? Sorry, I thought I copied the whole thing:
Raw Audit Messages
type=AVC msg=audit(1313201544.117:85): avc: denied { execmod } for pid=2527 comm="chrome" path="/opt/google/chrome/chrome" dev=sda2 ino=6291521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1313201544.117:85): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4684000 a1=31e9000 a2=5 a3=bfad2be0 items=0 ppid=0 pid=2527 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod
audit2allow
It is very strange to see an executable requiring execmod privs, these are usually shared libraries. Miroslav I added the allow rules for this to F16. execmem_execmod(chrome_sandbox_t) *** Bug 730406 has been marked as a duplicate of this bug. *** Will the rule be added to F15, or should I manually adjust it? Have you determined the reason for the AVC error yet? Yes, added to selinux-policy-3.9.16-39.fc15 Has the updated selinux-policy-3.9.16-39.fc15 been deployed? It hasn't shown up on my up to date Fedora 15 box yet. I still have selinux-policy-3.9.16-35.fc15. I got a couple of update batches with dozens of packages since selinux-policy was fixed, but not selinux-policy-3.9.16-39.fc15 selinux-policy-3.9.16-38.fc15 is is testing now, so you fix will be in the next testing push. Created attachment 521356 [details]
SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386
FYI, I am having the same problem on Fedora 14. SELinux problem report attached.
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback). I've got the latest update installed, but it's not fixed for me at least, I'm still getting a denial. What denial? I'm getting this AVC denial :
SELinux is preventing /opt/google/chrome/chrome from execmod access on the fichier /opt/google/chrome/chrome.
***** Plugin allow_execmod (91.4 confiance) suggéré**************************
Sivous souhaitez autoriser chrome à accéder à execmod sur chrome file
Alorsyou need to change the label on '/opt/google/chrome/chrome'
Faire
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'
***** Plugin catchall (9.59 confiance) suggéré*******************************
Siyou believe that chrome should be allowed execmod access on the chrome file by default.
Alorsyou should report this as a bug.
You can generate a local policy module to allow this access.
Faire
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Contexte source unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Contexte cible system_u:object_r:execmem_exec_t:s0
Objets du contexte /opt/google/chrome/chrome [ file ]
Source chrome
Chemin de la source /opt/google/chrome/chrome
Port <Inconnu>
Hôte eeepc
Paquetages RPM source google-chrome-stable-14.0.835.163-101024
Paquetages RPM cible google-chrome-stable-14.0.835.163-101024
RPM de la statégie selinux-policy-3.9.16-39.fc15
Selinux activé True
Type de stratégie targeted
Mode strict Enforcing
Nom de l'hôte eeepc
Plateforme Linux eeepc 2.6.40.4-5.fc15.i686 #1 SMP Tue Aug 30
14:54:41 UTC 2011 i686 i686
Compteur d'alertes 1
Première alerte sam. 17 sept. 2011 14:23:04 CEST
Dernière alerte sam. 17 sept. 2011 14:23:04 CEST
ID local 5ae8a748-7773-4b37-8e65-44f8563e73db
Messages d'audit bruts
type=AVC msg=audit(1316262184.284:757): avc: denied { execmod } for pid=8910 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=1053844 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1316262184.284:757): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4702000 a1=31fd000 a2=5 a3=bfa4af50 items=0 ppid=0 pid=8910 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=15 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod
audit2allow
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;
audit2allow -R
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;
I believe this is fixed in the latest policy. yum -y update selinux-policy --enablerepo=updates-testing I don't think the latest version quite fixes this completely. I updated to the version in updates-testing:
# rpm -q selinux-policy
selinux-policy-3.9.16-39.fc15.noarch
but I still get a related AVC denial when trying to launch chrome:
# ausearch -m AVC -ts recent
----
time->Mon Sep 19 13:50:54 2011
type=SYSCALL msg=audit(1316454654.308:68): arch=40000003 syscall=125 success=no exit=-13 a0=b4513000 a1=31fd000 a2=5 a3=bffaaaa0 items=0 ppid=0 pid=2281 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316454654.308:68): avc: denied { execmod } for pid=2281 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
----
Could you try to install the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146 Still looks very similar with the -40 package from koji:
Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context system_u:object_r:execmem_exec_t:s0
Target Objects /opt/google/chrome/chrome [ file ]
Source chrome
Source Path /opt/google/chrome/chrome
Port <Unknown>
Host cmarcant-linuxbook
Source RPM Packages google-chrome-stable-14.0.835.163-101024
Target RPM Packages google-chrome-stable-14.0.835.163-101024
Policy RPM selinux-policy-3.9.16-40.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <redacted>
Platform Linux <redacted> 2.6.40.4-5.fc15.i686.PAE
#1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count 15
First Seen Mon 19 Sep 2011 01:09:29 PM EDT
Last Seen Tue 20 Sep 2011 08:28:56 AM EDT
Local ID 2c6839da-9c53-4b8f-b360-c5b4aa89edfa
Raw Audit Messages
type=AVC msg=audit(1316521736.390:1035): avc: denied { execmod } for pid=18845 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1316521736.390:1035): arch=i386 syscall=mprotect success=no exit=EACCES a0=b465e000 a1=31fd000 a2=5 a3=bfa4b800 items=0 ppid=0 pid=18845 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. I did a brand new f15 install today with selinux-policy-3.9.16-39.fc15 and I'm still having the same problem.
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.
***** Plugin allow_execmod (91.4 confidence) suggests **********************
If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'
***** Plugin catchall (9.59 confidence) suggests ***************************
If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context system_u:object_r:execmem_exec_t:s0
Target Objects /opt/google/chrome/chrome [ file ]
Source chrome
Source Path /opt/google/chrome/chrome
Port <Unknown>
Host kazuya
Source RPM Packages google-chrome-stable-14.0.835.202-103287
Target RPM Packages google-chrome-stable-14.0.835.202-103287
Policy RPM selinux-policy-3.9.16-39.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name kazuya
Platform Linux kazuya 2.6.40.6-0.fc15.i686.PAE #1 SMP Tue
Oct 4 00:44:38 UTC 2011 i686 i686
Alert Count 1
First Seen Thu 06 Oct 2011 05:47:07 PM PDT
Last Seen Thu 06 Oct 2011 05:47:07 PM PDT
Local ID de8da826-2bdc-4df4-a988-48f626b061a5
Raw Audit Messages
type=AVC msg=audit(1317948427.878:61): avc: denied { execmod } for pid=2581 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=2105964 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1317948427.878:61): arch=i386 syscall=mprotect success=no exit=EACCES a0=b451c000 a1=31ff000 a2=5 a3=bfcbeab0 items=0 ppid=0 pid=2581 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod
audit2allow
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;
audit2allow -R
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;
Could you try to install the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146 It was closed by Update System. And what's the command I need to run to install that latest policy from koji? # su -c 'rpm -Uvh http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.9.16/42.fc15/noarch/selinux-policy-3.9.16-42.fc15.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.9.16/42.fc15/noarch/selinux-policy-targeted-3.9.16-42.fc15.noarch.rpm' Thanks Miroslav. That works. Previous package from koji (3.9.16-40.fc15) did not solve this issue for me. However, the latest package posted and linked above in Comment 23 (3.9.16-42.fc15) does seem to be working for me. I don't see any more AVC denials related to this BZ after upgrading to that. 3.9.16-42 worked for me too. I too couldn't get it working until I applied the RPMs in Comment 23. (Maybe I misunderstood something, but I couldn't use the command-line as written; I had to download the RPMs and install them from local files.) selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15 Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. Version-Release number of selected component (if applicable): selinux-policy-3.9.16-37.fc15 How reproducible: Start Google Chrome Steps to Reproduce: 1.Start Google Chrome 2. 3. Actual results: selinux prevents Chrome from starting Expected results: Additional info: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde32 Source RPM Packages google-chrome-beta-14.0.835.35-96116 Target RPM Packages google-chrome-beta-14.0.835.35-96116 Policy RPM selinux-policy-3.9.16-37.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde32 Platform Linux fedora15kde32 2.6.40-4.fc15.i686.PAE #1 SMP Fri Jul 29 18:47:58 UTC 2011 i686 i686 Alert Count 2 First Seen Thu 11 Aug 2011 11:01:48 PM EDT Last Seen Thu 11 Aug 2011 11:04:51 PM EDT Local ID fba2eabc-ee92-4fc1-8f8d-6a8ca374a57e This started after updating to Chrome version google-chrome-beta-14.0.835.35-96116 Since I've never had a problem starting Google Chrome with selinux enforcing before, and, because I don't know what plugin allow_execmod does, I'm filing it as a bug. Obviously something has changed in this version of Chrome and I don't want to allow access without reporting this problem first.