Bug 579580 - SELinux is preventing /opt/google/chrome/chrome-sandbox from executing /opt/google/chrome/chrome-sandbox.
Summary: SELinux is preventing /opt/google/chrome/chrome-sandbox from executing /opt/g...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:17f9d7f8f4c...
: 579934 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-05 22:38 UTC by Carl G.
Modified: 2010-04-20 13:20 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.6.32-110.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-20 13:20:11 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Carl G. 2010-04-05 22:38:58 UTC 
Résumé:

SELinux is preventing /opt/google/chrome/chrome-sandbox from executing
/opt/google/chrome/chrome-sandbox.

Description détaillée:

[SELinux est en mode permissif. Cet accès n'a pas été refusé.]

SELinux has denied the chrome-sandbox from executing
/opt/google/chrome/chrome-sandbox. If chrome-sandbox is supposed to be able to
execute /opt/google/chrome/chrome-sandbox, this could be a labeling problem.
Most confined domains are allowed to execute files labeled bin_t. So you could
change the labeling on this file to bin_t and retry the application. If this
chrome-sandbox is not supposed to execute /opt/google/chrome/chrome-sandbox,
this could signal an intrusion attempt.

Autoriser l'accès:

If you want to allow chrome-sandbox to execute
/opt/google/chrome/chrome-sandbox: chcon -t bin_t
'/opt/google/chrome/chrome-sandbox' If this fix works, please update the file
context on disk, with the following command: semanage fcontext -a -t bin_t
'/opt/google/chrome/chrome-sandbox' Please specify the full path to the
executable, Please file a bug report to make sure this becomes the default
labeling.

Informations complémentaires:

Contexte source               staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:usr_t:s0
Objets du contexte            /opt/google/chrome/chrome-sandbox [ file ]
source                        gnome-do
Chemin de la source           /usr/bin/mono
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         google-chrome-unstable-5.0.366.2-43280
Paquetages RPM cible          google-chrome-unstable-5.0.366.2-43280
Politique RPM                 selinux-policy-3.6.32-106.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Permissive
Nom du plugin                 execute
Nom de l'hôte                (removed)
Plateforme                    Linux (removed)
                              2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23
                              09:47:08 UTC 2010 x86_64 x86_64
Compteur d'alertes            9
Première alerte              lun 05 avr 2010 18:08:17 EDT
Dernière alerte              lun 05 avr 2010 18:32:50 EDT
ID local                      4ef67ac3-e817-403c-8b1c-982440f928fb
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1270506770.161:101): avc:  denied  { execute } for  pid=2391 comm="chrome" name="chrome-sandbox" dev=dm-2 ino=4204608 scontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1270506770.161:101): avc:  denied  { execute_no_trans } for  pid=2391 comm="chrome" path="/opt/google/chrome/chrome-sandbox" dev=dm-2 ino=4204608 scontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1270506770.161:101): arch=c000003e syscall=59 success=yes exit=0 a0=3b6ac58 a1=3bcf340 a2=7fff7cb6a938 a3=7fff7cb67db0 items=0 ppid=2346 pid=2391 auid=500 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox" subj=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  execute,gnome-do,staff_mono_t,usr_t,file,execute
audit2allow suggests:

#============= staff_mono_t ==============
allow staff_mono_t usr_t:file { execute execute_no_trans };
Comment 1 Daniel Walsh 2010-04-06 13:22:01 UTC 
chcon -t chrome_sandbox_exec_t /opt/google/chrome/chrome-sandbox

Should make it work with proper confinement.

Or you could use the chromium repo built by Tom Calloway

[google]
name=Chrome
failovermethod=priority
baseurl=http://spot.fedorapeople.org/chromium/F12/
enabled=0
gpgcheck=0


Miroslav can you add this label?
Comment 2 Miroslav Grepl 2010-04-07 07:59:56 UTC 
*** Bug 579934 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-04-07 08:02:38 UTC 
Fixed in selinux-policy-3.6.32-110.fc12
Comment 4 Fedora Update System 2010-04-09 13:26:11 UTC 
selinux-policy-3.6.32-110.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
Comment 5 Fedora Update System 2010-04-10 10:31:05 UTC 
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
Comment 6 Fedora Update System 2010-04-20 13:19:36 UTC 
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.