type=AVC msg=audit(1272343022.538:41089): avc: denied { execute } for pid=25681 comm="banshee-1" name="google-chrome" dev=dm-2 ino=131079 scontext=staff_u:staff_r:staff_mono_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. allow staff_mono_t usr_t:file execute; Should i create a policy for that ?
Carl, where is "google-chrome" located? Is it located in /opt/google/chrome/ directory?
Carl anytime you see an app trying to execute usr_t, you should think that the executable is mislabeled. It should either be labeled bin_t for generic binaries or in this case mozilla_exec_t for web browsers.
Oh, you're right, sorry about that :/
(In reply to comment #1) > Carl, > where is "google-chrome" located? Is it located in /opt/google/chrome/ > directory? /opt/google/chrome/ and banshee is in /usr/bin.
Is /opt/google/chrome/goggle-chrome The default location? What is the path to the sandbox?
See bellow. I re-labeled Banshee w. bin_t but it still doesn't work with Chrome (works fine w. Firefox). [carl@BubbleWork ~]$ ls -Z /opt/google/chrome -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 chrome -rw-r--r--. root root system_u:object_r:usr_t:s0 chrome.pak -rwsr-xr-x. root root system_u:object_r:chrome_sandbox_exec_t:s0 chrome-sandbox -rw-r--r--. root root system_u:object_r:usr_t:s0 default-app-block -rwxr-xr-x. root root system_u:object_r:usr_t:s0 google-chrome -rw-r--r--. root root system_u:object_r:usr_t:s0 google-chrome.desktop lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libbz2.so.1.0 -> /lib64/libbz2.so.1 -rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 libffmpegsumo.so lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libnspr4.so.0d -> /lib64/libnspr4.so lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libnss3.so.1d -> /usr/lib64/libnss3.so lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libnssutil3.so.1d -> /usr/lib64/libnssutil3.so lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libplc4.so.0d -> /lib64/libplc4.so lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libplds4.so.0d -> /lib64/libplds4.so lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libsmime3.so.1d -> /usr/lib64/libsmime3.so lrwxrwxrwx. root root system_u:object_r:usr_t:s0 libssl3.so.1d -> /usr/lib64/libssl3.so drwxr-xr-x. root root system_u:object_r:usr_t:s0 locales -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_128.png -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_16.png -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_22.png -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_24.png -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_256.png -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_32.png -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_32.xpm -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_48.png -rw-r--r--. root root system_u:object_r:usr_t:s0 product_logo_64.png drwxr-xr-x. root root system_u:object_r:usr_t:s0 resources -rwxr-xr-x. root root system_u:object_r:usr_t:s0 xdg-settings Summary: SELinux is preventing /usr/bin/mono from executing /opt/google/chrome/google-chrome. Detailed Description: SELinux has denied the gnome-do from executing /opt/google/chrome/google-chrome. If gnome-do is supposed to be able to execute /opt/google/chrome/google-chrome, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this gnome-do is not supposed to execute /opt/google/chrome/google-chrome, this could signal an intrusion attempt. Allowing Access: If you want to allow gnome-do to execute /opt/google/chrome/google-chrome: chcon -t bin_t '/opt/google/chrome/google-chrome' If this fix works, please update the file context on disk, with the following command: semanage fcontext -a -t bin_t '/opt/google/chrome/google-chrome' Please specify the full path to the executable, Please file a bug report to make sure this becomes the default labeling. Additional Information: Source Context staff_u:staff_r:staff_mono_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects /opt/google/chrome/google-chrome [ file ] Source gnome-do Source Path /usr/bin/mono Port <Unknown> Host BubbleWork.BubbleNet Source RPM Packages mono-core-2.6.1-2.fc13 Target RPM Packages google-chrome-unstable-5.0.375.19-45417 Policy RPM selinux-policy-3.7.19-6.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name execute Host Name BubbleWork.BubbleNet Platform Linux BubbleWork.BubbleNet 2.6.33.2-57.fc13.x86_64 #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Tue 27 Apr 2010 12:09:29 PM EDT Last Seen Tue 27 Apr 2010 01:12:17 PM EDT Local ID 22278520-04a1-47e8-a298-9f5c4fe34f55 Line Numbers Raw Audit Messages node=BubbleWork.BubbleNet type=AVC msg=audit(1272388337.389:50): avc: denied { execute } for pid=9652 comm="gnome-do" name="google-chrome" dev=dm-2 ino=131079 scontext=staff_u:staff_r:staff_mono_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1272388337.389:50): arch=c000003e syscall=59 success=no exit=-13 a0=2cd9bb0 a1=2c8db90 a2=7fffa566c2d0 a3=1 items=0 ppid=1 pid=9652 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-do" exe="/usr/bin/mono" subj=staff_u:staff_r:staff_mono_t:s0 key=(null)
chcon -t bin_t google-chrome Should fix