Bug 586212 - SELinux doesn't allow Banshee to open a URL
Summary: SELinux doesn't allow Banshee to open a URL
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-27 04:40 UTC by Carl G.
Modified: 2010-04-27 17:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-27 15:45:33 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Carl G. 2010-04-27 04:40:58 UTC
type=AVC msg=audit(1272343022.538:41089): avc:  denied  { execute } for  pid=25681 comm="banshee-1" name="google-chrome" dev=dm-2 ino=131079 scontext=staff_u:staff_r:staff_mono_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

allow staff_mono_t usr_t:file execute;

Should i create a policy for that ?

Comment 1 Miroslav Grepl 2010-04-27 11:04:25 UTC
Carl,
where is "google-chrome" located? Is it located in /opt/google/chrome/ directory?

Comment 2 Daniel Walsh 2010-04-27 13:34:19 UTC
Carl anytime you see an app trying to execute usr_t, you should think that the executable is mislabeled.  It should either be labeled bin_t for generic binaries or in this case mozilla_exec_t for web browsers.

Comment 3 Carl G. 2010-04-27 15:45:33 UTC
Oh, you're right, sorry about that :/

Comment 4 Carl G. 2010-04-27 15:49:57 UTC
(In reply to comment #1)
> Carl,
> where is "google-chrome" located? Is it located in /opt/google/chrome/
> directory?    

/opt/google/chrome/

and banshee is in /usr/bin.

Comment 5 Daniel Walsh 2010-04-27 17:15:06 UTC
Is 
/opt/google/chrome/goggle-chrome 

The default location?  What is the path to the sandbox?

Comment 6 Carl G. 2010-04-27 17:21:20 UTC
See bellow.

I re-labeled Banshee w. bin_t but it still doesn't work with Chrome (works fine w. Firefox).

[carl@BubbleWork ~]$ ls -Z /opt/google/chrome
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 chrome
-rw-r--r--. root root system_u:object_r:usr_t:s0       chrome.pak


-rwsr-xr-x. root root system_u:object_r:chrome_sandbox_exec_t:s0 chrome-sandbox


-rw-r--r--. root root system_u:object_r:usr_t:s0       default-app-block
-rwxr-xr-x. root root system_u:object_r:usr_t:s0       google-chrome
-rw-r--r--. root root system_u:object_r:usr_t:s0       google-chrome.desktop
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libbz2.so.1.0 -> /lib64/libbz2.so.1
-rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 libffmpegsumo.so
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libnspr4.so.0d -> /lib64/libnspr4.so
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libnss3.so.1d -> /usr/lib64/libnss3.so
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libnssutil3.so.1d -> /usr/lib64/libnssutil3.so
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libplc4.so.0d -> /lib64/libplc4.so
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libplds4.so.0d -> /lib64/libplds4.so
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libsmime3.so.1d -> /usr/lib64/libsmime3.so
lrwxrwxrwx. root root system_u:object_r:usr_t:s0       libssl3.so.1d -> /usr/lib64/libssl3.so
drwxr-xr-x. root root system_u:object_r:usr_t:s0       locales
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_128.png
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_16.png
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_22.png
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_24.png
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_256.png
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_32.png
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_32.xpm
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_48.png
-rw-r--r--. root root system_u:object_r:usr_t:s0       product_logo_64.png
drwxr-xr-x. root root system_u:object_r:usr_t:s0       resources
-rwxr-xr-x. root root system_u:object_r:usr_t:s0       xdg-settings


Summary:

SELinux is preventing /usr/bin/mono from executing
/opt/google/chrome/google-chrome.

Detailed Description:

SELinux has denied the gnome-do from executing /opt/google/chrome/google-chrome.
If gnome-do is supposed to be able to execute /opt/google/chrome/google-chrome,
this could be a labeling problem. Most confined domains are allowed to execute
files labeled bin_t. So you could change the labeling on this file to bin_t and
retry the application. If this gnome-do is not supposed to execute
/opt/google/chrome/google-chrome, this could signal an intrusion attempt.

Allowing Access:

If you want to allow gnome-do to execute /opt/google/chrome/google-chrome: chcon
-t bin_t '/opt/google/chrome/google-chrome' If this fix works, please update the
file context on disk, with the following command: semanage fcontext -a -t bin_t
'/opt/google/chrome/google-chrome' Please specify the full path to the
executable, Please file a bug report to make sure this becomes the default
labeling.

Additional Information:

Source Context                staff_u:staff_r:staff_mono_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                /opt/google/chrome/google-chrome [ file ]
Source                        gnome-do
Source Path                   /usr/bin/mono
Port                          <Unknown>
Host                          BubbleWork.BubbleNet
Source RPM Packages           mono-core-2.6.1-2.fc13
Target RPM Packages           google-chrome-unstable-5.0.375.19-45417
Policy RPM                    selinux-policy-3.7.19-6.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     BubbleWork.BubbleNet
Platform                      Linux BubbleWork.BubbleNet 2.6.33.2-57.fc13.x86_64
                              #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Tue 27 Apr 2010 12:09:29 PM EDT
Last Seen                     Tue 27 Apr 2010 01:12:17 PM EDT
Local ID                      22278520-04a1-47e8-a298-9f5c4fe34f55
Line Numbers                  

Raw Audit Messages            

node=BubbleWork.BubbleNet type=AVC msg=audit(1272388337.389:50): avc:  denied  { execute } for  pid=9652 comm="gnome-do" name="google-chrome" dev=dm-2 ino=131079 scontext=staff_u:staff_r:staff_mono_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1272388337.389:50): arch=c000003e syscall=59 success=no exit=-13 a0=2cd9bb0 a1=2c8db90 a2=7fffa566c2d0 a3=1 items=0 ppid=1 pid=9652 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-do" exe="/usr/bin/mono" subj=staff_u:staff_r:staff_mono_t:s0 key=(null)

Comment 7 Daniel Walsh 2010-04-27 17:34:29 UTC
chcon -t bin_t google-chrome

Should fix


Note You need to log in before you can comment on or make changes to this bug.