Bug 741493

Can you tell us if there are other executables under /opt/google/chrome

ls -l  /opt/google/chrome

Miroslav I think we should just add

files_exec_usr_files(chrome_sandbox_t)

I am using Fedora 15 and this problem occurs with google-chrome-beta and google-chrome-unstable.

ls -l  /opt/google/chrome | grep ^.r.x
-rwxr-xr-x. 1 root root 62758368 Sep 24 11:51 chrome
-rwxr-xr-x. 1 root root     1667 Sep 24 11:51 google-chrome
lrwxrwxrwx. 1 root root       18 Sep 28 21:56 libbz2.so.1.0 -> /lib64/libbz2.so.1
lrwxrwxrwx. 1 root root       18 Sep 28 21:56 libnspr4.so.0d -> /lib64/libnspr4.so
lrwxrwxrwx. 1 root root       21 Sep 28 21:56 libnss3.so.1d -> /usr/lib64/libnss3.so
lrwxrwxrwx. 1 root root       25 Sep 28 21:56 libnssutil3.so.1d -> /usr/lib64/libnssutil3.so
lrwxrwxrwx. 1 root root       17 Sep 28 21:56 libplc4.so.0d -> /lib64/libplc4.so
lrwxrwxrwx. 1 root root       18 Sep 28 21:56 libplds4.so.0d -> /lib64/libplds4.so
lrwxrwxrwx. 1 root root       23 Sep 28 21:56 libsmime3.so.1d -> /usr/lib64/libsmime3.so
lrwxrwxrwx. 1 root root       21 Sep 28 21:56 libssl3.so.1d -> /usr/lib64/libssl3.so
drwxr-xr-x. 2 root root     4096 Sep 28 21:56 locales
-rwxr-xr-x. 1 root root   752464 Sep 24 11:51 nacl_helper
-rwxr-xr-x. 1 root root    70136 Sep 24 11:51 nacl_helper_bootstrap
-rwxr-xr-x. 1 root root    37394 Sep 24 11:51 xdg-mime
-rwxr-xr-x. 1 root root    33273 Sep 24 11:51 xdg-settings

Fixed in selinux-policy-3.9.16-43.fc15

This is still happening on F16 with:

$ rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.10.0
Release     : 32.fc16
Architecture: noarch

(In reply to comment #3)
> Fixed in selinux-policy-3.9.16-43.fc15

I was hoping to test/use the fix but i can't find the version specified anywhere in koji and i can't find it in git either so i can't even do a local build. Any chance of this being made available in either of those locations?

Thanks

do like flow:
su root
sudo grep chrome /var/log/audit/audit.log | audit2allow -M mypol
sudo semodule -i mypol.pp

in my machine,it works.
but i know it's not the best solution..

chcon -t bin_t /opt/google/chrome/nacl_helper_bootstrap

Should allow /opt/google/chrome/chrome to execute /opt/google/chrome/nacl_helper_bootstrap

This is fixed in the latest F16 build also.

See https://bugzilla.redhat.com/show_bug.cgi?id=743325#c2

I just got this message after an update to Chrome Stable 15.0.874.102

2.6.35.14-97.fc14.x86_64

Message details:


SELinux is preventing /opt/google/chrome/chrome from execute access on the file nacl_helper_bootstrap.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow chrome to have execute access on the nacl_helper_bootstrap file
Then you need to change the label on nacl_helper_bootstrap
Do
# semanage fcontext -a -t FILE_TYPE 'nacl_helper_bootstrap'
where FILE_TYPE is one of the following: execmem_exec_t, lib_t, abrt_helper_exec_t, ld_so_t, chrome_sandbox_exec_t, bin_t, textrel_shlib_t. 
Then execute: 
restorecon -v 'nacl_helper_bootstrap'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that chrome should be allowed execute access on the nacl_helper_bootstrap file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                nacl_helper_bootstrap [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          XXXXXXX
Source RPM Packages           google-chrome-stable-15.0.874.102-106587
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-44.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     XXXXXXX
Platform                      Linux XXXXXXXX 2.6.35.14-97.fc14.x86_64 #1 SMP
                              Sat Sep 17 00:15:37 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 25 Oct 2011 09:41:49 PM PDT
Last Seen                     Tue 25 Oct 2011 09:41:49 PM PDT
Local ID                      3aae5d82-c6ff-4edd-b4b6-60c8e5d3a3b8

Raw Audit Messages
type=AVC msg=audit(1319604109.864:39401): avc:  denied  { execute } for  pid=3494 comm="chrome" name="nacl_helper_bootstrap" dev=dm-0 ino=275554 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1319604109.864:39401): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f534703b928 a1=7f5347050760 a2=7fff54004ba0 a3=7fff540009c0 items=0 ppid=1 pid=3494 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,usr_t,file,execute

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t usr_t:file execute;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t usr_t:file execute;

Michael,
could you open a new bug for F14.

Miroslav, this has been done. See bug 749208. Thanks.

(In reply to comment #6)
> do like flow:
> su root
> sudo grep chrome /var/log/audit/audit.log | audit2allow -M mypol
> sudo semodule -i mypol.pp
> 
> in my machine,it works.
> but i know it's not the best solution..

In my system (F15 on x86_64, all the latest updates):

# grep chrome /var/log/audit/audit.log | audit2allow -M chrome

# semodule -i chrome.pp 
libsepol.print_missing_requirements: chrome's global requirements were not met: type/attribute chrome_sandbox_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

What is wrong here?

You never want to name the domain with the same as the default domain.  Basically you are replacing selinux-policy-targeted chrome.pp with your version.

This is why we always tell people to use my prefix.

# grep chrome /var/log/audit/audit.log | audit2allow -M mychrome

# semodule -i mychrome.pp

(In reply to comment #14)
> You never want to name the domain with the same as the default domain. 
> Basically you are replacing selinux-policy-targeted chrome.pp with your
> version.
> 
> This is why we always tell people to use my prefix.
> 
> # grep chrome /var/log/audit/audit.log | audit2allow -M mychrome
> 
> # semodule -i mychrome.pp

Thanks! That explains it.

selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.