Bug 735786

Summary: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.
Product: [Fedora] Fedora Reporter: Miroslav Grepl <mgrepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: amoroso, dominick.grift, dwalsh, GoinEasy9, mgrepl, req1348
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-46.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 730179 Environment:
Last Closed: 2011-10-30 00:34:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 730179    
Bug Blocks:    

Description Miroslav Grepl 2011-09-05 11:44:29 UTC 
+++ This bug was initially created as a clone of Bug #730179 +++

Description of problem:
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-37.fc15

How reproducible:
Start Google Chrome

Steps to Reproduce:
1.Start Google Chrome
2.
3.
  
Actual results:
selinux prevents Chrome from starting

Expected results:


Additional info:
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde32
Source RPM Packages           google-chrome-beta-14.0.835.35-96116
Target RPM Packages           google-chrome-beta-14.0.835.35-96116
Policy RPM                    selinux-policy-3.9.16-37.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde32
Platform                      Linux fedora15kde32 2.6.40-4.fc15.i686.PAE #1 SMP
                              Fri Jul 29 18:47:58 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Thu 11 Aug 2011 11:01:48 PM EDT
Last Seen                     Thu 11 Aug 2011 11:04:51 PM EDT
Local ID                      fba2eabc-ee92-4fc1-8f8d-6a8ca374a57e


This started after updating to Chrome version google-chrome-beta-14.0.835.35-96116

Since I've never had a problem starting Google Chrome with selinux enforcing before, and, because I don't know what plugin allow_execmod does, I'm filing it as a bug.  Obviously something has changed in this version of Chrome and I don't want to allow access without reporting this problem first.

--- Additional comment from dwalsh on 2011-08-12 06:49:35 EDT ---

Please inlcude the AVC data?

--- Additional comment from GoinEasy9 on 2011-08-12 22:12:00 EDT ---

Sorry, I thought I copied the whole thing:


Raw Audit Messages
type=AVC msg=audit(1313201544.117:85): avc:  denied  { execmod } for  pid=2527 comm="chrome" path="/opt/google/chrome/chrome" dev=sda2 ino=6291521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1313201544.117:85): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4684000 a1=31e9000 a2=5 a3=bfad2be0 items=0 ppid=0 pid=2527 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

--- Additional comment from dwalsh on 2011-08-15 07:19:42 EDT ---

It is very strange to see an executable requiring execmod privs, these are usually shared libraries.

Miroslav I added the allow rules for this to F16.

	execmem_execmod(chrome_sandbox_t)

--- Additional comment from dwalsh on 2011-08-15 07:24:06 EDT ---

*** Bug 730406 has been marked as a duplicate of this bug. ***

--- Additional comment from GoinEasy9 on 2011-08-18 03:04:02 EDT ---

Will the rule be added to F15, or should I manually adjust it?  Have you determined the reason for the AVC error yet?

--- Additional comment from mgrepl on 2011-08-22 06:25:19 EDT ---

Yes, added to selinux-policy-3.9.16-39.fc15

--- Additional comment from amoroso on 2011-08-31 04:29:01 EDT ---

Has the updated selinux-policy-3.9.16-39.fc15 been deployed? It hasn't shown up on my up to date Fedora 15 box yet. I still have selinux-policy-3.9.16-35.fc15. I got a couple of update batches with dozens of packages since selinux-policy was fixed, but not selinux-policy-3.9.16-39.fc15

--- Additional comment from dwalsh on 2011-08-31 10:29:52 EDT ---

selinux-policy-3.9.16-38.fc15 is is testing now, so you fix will be in the next testing push.

--- Additional comment from beland.edu on 2011-09-03 23:55:18 EDT ---

Created attachment 521356 [details]
SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386

FYI, I am having the same problem on Fedora 14.  SELinux problem report attached.
Comment 1 GoinEasy9 2011-09-21 19:32:18 UTC 
I was the original poster on Bug #730179.  While using semanage and restorecom and eventual updates to selinux-policy worked to fix most of my Fedora 15 installs, I'm still unable to bring up Chrome on one of my laptops.  The error message is the same, so I will post it here:

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           google-chrome-beta-14.0.835.186-101821
Target RPM Packages           google-chrome-beta-14.0.835.186-101821
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   10
First Seen                    Sun 11 Sep 2011 12:45:21 PM EDT
Last Seen                     Wed 21 Sep 2011 03:05:02 PM EDT
Local ID                      dcb35aff-6145-4031-99ea-97a498cda60f

Raw Audit Messages
type=AVC msg=audit(1316631902.906:72): avc:  denied  { execmod } for  pid=3233 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1316631902.906:72): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4549000 a1=31fd000 a2=5 a3=bfaaf2f0 items=0 ppid=0 pid=3233 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

I have tried for manually fix this install for a while now, but, it is getting frustrating.  I do not have the knowledge of selinux to dig deeper into the problem.  This is what happens when I try ti fix it manually using the solution in the AVC troubleshooter details.

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory).
/usr/sbin/semanage: Could not test MLS enabled status

There is no file policy.kern in folder /etc/selinux/targeted/modules/active/.  I checked and it is not present in my working main install either.

So I try:

# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!

There is no /tmp/base.pp in /etc/selinux/targeted/modules/  although, since it's a tmp file, I wasn't expecting to find it after the fact.

So that's where I am. I tried removing and reinstalling Chrome with the same results.  I also tried turning off selinux and then re-enabling it, letting it reassign as it rebooted with the same result.  Help please.
Comment 2 Daniel Walsh 2011-09-21 19:47:18 UTC 
This looks like you /etc/selinux/targeted directories have been corrupted somehow.

Try

yum reinstall selinux-policy-targeted

To see if this fixes the problem.
Comment 3 GoinEasy9 2011-09-23 02:53:45 UTC 
Thank you for the response.  I tried reinstalling.  Result failed.

Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : selinux-policy-targeted-3.9.16-39.fc15.noarch 
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.24. (No such file or directory).
semodule:  Failed!

Installed:
selinux-policy-targeted.noarch 0:3.9.16-39.fc15

Complete!

There is a file policy.24 in /etc/selinux/targeted/policy/

Thanks for your help.
Comment 4 Daniel Walsh 2011-09-23 19:07:15 UTC 
I can't tell from your message above are you all set now or still broken?
Comment 5 GoinEasy9 2011-09-23 20:17:30 UTC 
Still broken:

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           google-chrome-beta-14.0.835.186-101821
Target RPM Packages           google-chrome-beta-14.0.835.186-101821
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   11
First Seen                    Sun 11 Sep 2011 12:45:21 PM EDT
Last Seen                     Fri 23 Sep 2011 04:03:11 PM EDT
Local ID                      dcb35aff-6145-4031-99ea-97a498cda60f

Raw Audit Messages
type=AVC msg=audit(1316808191.697:95): avc:  denied  { execmod } for  pid=7789 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1316808191.697:95): arch=i386 syscall=mprotect success=no exit=EACCES a0=b45e4000 a1=31fd000 a2=5 a3=bfbfcf30 items=0 ppid=0 pid=7789 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

Then when trying the fix:

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory).
/usr/sbin/semanage: Could not test MLS enabled status

Or when trying the temporary fix:

# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp
# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!

I see where the confusion comes in, it does say Installed and Complete, but it does say the commands failed.  The only AVC error comes when trying to start chrome.
Comment 6 Daniel Walsh 2011-09-23 21:05:54 UTC 
Ok Not sure how this machine got screwed up but execute the following



# setenforce 0
# rm -rf /etc/selinux/targeted
# yum -y reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux/targeted
# setenforce 1

And you should be good to go with the latest policy.
Comment 7 Miroslav Grepl 2011-09-26 08:54:54 UTC 
I also added a fix for AVC which you see.
Comment 8 GoinEasy9 2011-09-27 16:03:37 UTC 
Well, there must be something very strange going on here.  I used the commands:
# setenforce 0
# rm -rf /etc/selinux/targeted
# yum -y reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux/targeted
# setenforce 1

All finished successfully:  Tried to open chrome, which is now on Beta 15, and, once again, the AVC error.

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           google-chrome-beta-15.0.874.21-101896
Target RPM Packages           google-chrome-beta-15.0.874.21-101896
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   14
First Seen                    Sun 11 Sep 2011 12:45:21 PM EDT
Last Seen                     Tue 27 Sep 2011 11:45:57 AM EDT
Local ID                      dcb35aff-6145-4031-99ea-97a498cda60f

Raw Audit Messages
type=AVC msg=audit(1317138357.861:51): avc:  denied  { execmod } for  pid=2172 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=934907 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1317138357.861:51): arch=i386 syscall=mprotect success=no exit=EACCES a0=b43c7000 a1=3372000 a2=5 a3=bfa3f560 items=0 ppid=0 pid=2172 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;



And then trying to use the work around, I got the same error as before:

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory).
usr/sbin/semanage: Could not test MLS enabled status

Any other suggestions?  Can selinux be totally wiped and then reinstalled?
Comment 9 Fedora Update System 2011-10-20 11:58:31 UTC 
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Comment 10 Fedora Update System 2011-10-22 08:21:48 UTC 
Package selinux-policy-3.9.7-46.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14734
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-10-30 00:34:29 UTC 
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.