Bug 481035 - Google Earth prevented from starting from install
Google Earth prevented from starting from install
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-01-21 15:48 EST by Victoria Earl
Modified: 2009-01-22 08:44 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-22 08:44:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Victoria Earl 2009-01-21 15:48:22 EST
Description of problem:
SELinux prevents Google Earth from start after install.  Unsure if this is a bug with SELinux or with Google Earth, but bug report link from SELinux linked here.

Version-Release number of selected component (if applicable):
Unknown, unable to start googleearth to find out

How reproducible:
Easily.  Requires install of Google Earth.

Steps to Reproduce:
1. Open Terminal
2. wget http://dl.google.com/earth/client/current/GoogleEarthLinux.bin
3. sh GoogleEarthLinux.bin
4. Follow install instructions
5. Start GoogleEarth after install, or try to do anything with it at all for that matter.
Actual results:
GoogleEarth prevented from running entirely, even to access help files.  AVC Denial from SELinux.

Expected results:
GoogleEarth to run.

Additional info:
Report from SELinux:


SELinux is preventing googleearth-bin from loading
/opt/google-earth/libminizip.so which requires text relocation.

Detailed Description:

The googleearth-bin application attempted to load
/opt/google-earth/libminizip.so which requires text relocation. This is a
potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/opt/google-earth/libminizip.so to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /opt/google-earth/libminizip.so to run correctly, you can change
the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/opt/google-earth/libminizip.so'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/opt/google-earth/libminizip.so'"

Fix Command:

chcon -t textrel_shlib_t '/opt/google-earth/libminizip.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                unconfined_u:object_r:usr_t:s0
Target Objects                /opt/google-earth/libminizip.so [ file ]
Source                        googleearth-bin
Source Path                   /opt/google-earth/googleearth-bin
Port                          <Unknown>
Host                          Vicki-laptop
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-38.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     Vicki-laptop
Platform                      Linux Vicki-laptop #1 SMP
                              Tue Dec 16 15:12:04 EST 2008 i686 i686
Alert Count                   2
First Seen                    Wed 21 Jan 2009 03:33:47 PM EST
Last Seen                     Wed 21 Jan 2009 03:44:51 PM EST
Local ID                      0fa33577-d772-4de5-8f35-85078872b13e
Line Numbers                  

Raw Audit Messages            

node=Vicki-laptop type=AVC msg=audit(1232570691.203:104): avc:  denied  { execmod } for  pid=17729 comm="googleearth-bin" path="/opt/google-earth/libminizip.so" dev=dm-0 ino=453376 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

node=Vicki-laptop type=SYSCALL msg=audit(1232570691.203:104): arch=40000003 syscall=125 success=no exit=-13 a0=1328000 a1=6000 a2=5 a3=bffe6860 items=0 ppid=7069 pid=17729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="googleearth-bin" exe="/opt/google-earth/googleearth-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
Comment 1 Miroslav Grepl 2009-01-22 04:43:54 EST
This is the bug with Google Earth. They have built their libraries incorrectly.

You can get the default SELinux security context for your information:

#  matchpathcon /opt/google-earth/libminizip.so


# restorecon -R -v /opt/google-earth/

Should fix it.

Note You need to log in before you can comment on or make changes to this bug.