Bug 1053311 - SELinux is preventing /opt/google/chrome/chrome from 'execute' accesses on the file /home/leithal/Downloads/Zotero_linux-x86_64/xulrunner/libnss3.so.
Summary: SELinux is preventing /opt/google/chrome/chrome from 'execute' accesses on th...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:a232bd9a4a528573d1fd71dd73c...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-01-15 02:06 UTC by leith.holness
Modified: 2014-01-15 08:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-01-15 08:28:08 UTC
Type: ---

Attachments (Terms of Use)

Description leith.holness 2014-01-15 02:06:06 UTC
Description of problem:
attempted to install the zotero chrome extension but chrome does not have permission to change the file 
SELinux is preventing /opt/google/chrome/chrome from 'execute' accesses on the file /home/leithal/Downloads/Zotero_linux-x86_64/xulrunner/libnss3.so.

*****  Plugin chrome (98.5 confidence) suggests   ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
# setsebool -P unconfined_chrome_sandbox_transition 0

*****  Plugin catchall (2.46 confidence) suggests   **************************

If you believe that chrome should be allowed execute access on the libnss3.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/leithal/Downloads/Zotero_linux-
                              x86_64/xulrunner/libnss3.so [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           google-chrome-stable-32.0.1700.77-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.12.7-300.fc20.x86_64 #1 SMP Fri
                              Jan 10 15:35:31 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-01-15 12:36:08 EST
Last Seen                     2014-01-15 12:43:29 EST
Local ID                      f564d97a-1168-4d78-bc42-c993e9aac35e

Raw Audit Messages
type=AVC msg=audit(1389750209.644:544): avc:  denied  { execute } for  pid=2694 comm="chrome" path="/home/leithal/Downloads/Zotero_linux-x86_64/xulrunner/libnss3.so" dev="dm-2" ino=30540307 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1389750209.644:544): arch=x86_64 syscall=mmap success=yes exit=140696508162048 a0=0 a1=307d78 a2=5 a3=802 items=0 ppid=0 pid=2694 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,user_home_t,file,execute

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.12.7-300.fc20.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2014-01-15 08:28:08 UTC
If you want to use this way you can either turn off the protection

# setsebool -P unconfined_chrome_sandbox_transition 0

or you can try to change the labeling

# chcon -t lib_t /home/leithal/Downloads/Zotero_linux-x86_64/xulrunner/libnss3.so

to see if it works correctly.

Note You need to log in before you can comment on or make changes to this bug.