Bug 735786
Summary: | SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Miroslav Grepl <mgrepl> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 14 | CC: | amoroso, dominick.grift, dwalsh, GoinEasy9, mgrepl, req1348 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.9.7-46.fc14 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 730179 | Environment: | |
Last Closed: | 2011-10-30 00:34:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 730179 | ||
Bug Blocks: |
Description
Miroslav Grepl
2011-09-05 11:44:29 UTC
I was the original poster on Bug #730179. While using semanage and restorecom and eventual updates to selinux-policy worked to fix most of my Fedora 15 installs, I'm still unable to bring up Chrome on one of my laptops. The error message is the same, so I will post it here: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde13 Source RPM Packages google-chrome-beta-14.0.835.186-101821 Target RPM Packages google-chrome-beta-14.0.835.186-101821 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde13 Platform Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 10 First Seen Sun 11 Sep 2011 12:45:21 PM EDT Last Seen Wed 21 Sep 2011 03:05:02 PM EDT Local ID dcb35aff-6145-4031-99ea-97a498cda60f Raw Audit Messages type=AVC msg=audit(1316631902.906:72): avc: denied { execmod } for pid=3233 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316631902.906:72): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4549000 a1=31fd000 a2=5 a3=bfaaf2f0 items=0 ppid=0 pid=3233 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; I have tried for manually fix this install for a while now, but, it is getting frustrating. I do not have the knowledge of selinux to dig deeper into the problem. This is what happens when I try ti fix it manually using the solution in the AVC troubleshooter details. # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory). /usr/sbin/semanage: Could not test MLS enabled status There is no file policy.kern in folder /etc/selinux/targeted/modules/active/. I checked and it is not present in my working main install either. So I try: # semodule -i mypol.pp libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). semodule: Failed! There is no /tmp/base.pp in /etc/selinux/targeted/modules/ although, since it's a tmp file, I wasn't expecting to find it after the fact. So that's where I am. I tried removing and reinstalling Chrome with the same results. I also tried turning off selinux and then re-enabling it, letting it reassign as it rebooted with the same result. Help please. This looks like you /etc/selinux/targeted directories have been corrupted somehow. Try yum reinstall selinux-policy-targeted To see if this fixes the problem. Thank you for the response. I tried reinstalling. Result failed. Running Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-targeted-3.9.16-39.fc15.noarch libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.24. (No such file or directory). semodule: Failed! Installed: selinux-policy-targeted.noarch 0:3.9.16-39.fc15 Complete! There is a file policy.24 in /etc/selinux/targeted/policy/ Thanks for your help. I can't tell from your message above are you all set now or still broken? Still broken: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde13 Source RPM Packages google-chrome-beta-14.0.835.186-101821 Target RPM Packages google-chrome-beta-14.0.835.186-101821 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde13 Platform Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 11 First Seen Sun 11 Sep 2011 12:45:21 PM EDT Last Seen Fri 23 Sep 2011 04:03:11 PM EDT Local ID dcb35aff-6145-4031-99ea-97a498cda60f Raw Audit Messages type=AVC msg=audit(1316808191.697:95): avc: denied { execmod } for pid=7789 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316808191.697:95): arch=i386 syscall=mprotect success=no exit=EACCES a0=b45e4000 a1=31fd000 a2=5 a3=bfbfcf30 items=0 ppid=0 pid=7789 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; Then when trying the fix: # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory). /usr/sbin/semanage: Could not test MLS enabled status Or when trying the temporary fix: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp # semodule -i mypol.pp libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). semodule: Failed! I see where the confusion comes in, it does say Installed and Complete, but it does say the commands failed. The only AVC error comes when trying to start chrome. Ok Not sure how this machine got screwed up but execute the following # setenforce 0 # rm -rf /etc/selinux/targeted # yum -y reinstall selinux-policy-targeted # restorecon -R -v /etc/selinux/targeted # setenforce 1 And you should be good to go with the latest policy. I also added a fix for AVC which you see. Well, there must be something very strange going on here. I used the commands: # setenforce 0 # rm -rf /etc/selinux/targeted # yum -y reinstall selinux-policy-targeted # restorecon -R -v /etc/selinux/targeted # setenforce 1 All finished successfully: Tried to open chrome, which is now on Beta 15, and, once again, the AVC error. SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde13 Source RPM Packages google-chrome-beta-15.0.874.21-101896 Target RPM Packages google-chrome-beta-15.0.874.21-101896 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde13 Platform Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 14 First Seen Sun 11 Sep 2011 12:45:21 PM EDT Last Seen Tue 27 Sep 2011 11:45:57 AM EDT Local ID dcb35aff-6145-4031-99ea-97a498cda60f Raw Audit Messages type=AVC msg=audit(1317138357.861:51): avc: denied { execmod } for pid=2172 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=934907 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1317138357.861:51): arch=i386 syscall=mprotect success=no exit=EACCES a0=b43c7000 a1=3372000 a2=5 a3=bfa3f560 items=0 ppid=0 pid=2172 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; And then trying to use the work around, I got the same error as before: # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory). usr/sbin/semanage: Could not test MLS enabled status Any other suggestions? Can selinux be totally wiped and then reinstalled? selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14 Package selinux-policy-3.9.7-46.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14734 then log in and leave karma (feedback). selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |