Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 589679 - Selinux prevents Google Earth binary from running from /usr/local/
Summary: Selinux prevents Google Earth binary from running from /usr/local/
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-06 17:06 UTC by Jonathan Pritchard
Modified: 2010-05-06 19:42 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-06 19:26:29 UTC
Type: ---


Attachments (Terms of Use)

Description Jonathan Pritchard 2010-05-06 17:06:32 UTC
I installed Google Earth for Linux to /usr/local and now every time I try and run the shortcut from the menu, I get this selinux warning.

The setroubleshoot output is as follows:


Summary:

SELinux is preventing /opt/google-earth/googleearth-bin "execmod" access to
/opt/google-earth/libminizip.so.

Detailed Description:

SELinux denied access requested by /opt/google-earth/googleearth-bin.
/opt/google-earth/googleearth-bin is mislabeled.
/opt/google-earth/googleearth-bin default SELinux type is usr_t, but its current
type is usr_t. Changing this file back to the default type, may fix your
problem.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/opt/google-earth/googleearth-bin'.

Fix Command:

/sbin/restorecon '/opt/google-earth/googleearth-bin'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:usr_t:s0
Target Objects                /opt/google-earth/libminizip.so [ file ]
Source                        googleearth-bin
Source Path                   /opt/google-earth/googleearth-bin
Port                          <Unknown>
Host                          Jon-Laptop
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restore_source_context
Host Name                     Jon-Laptop
Platform                      Linux Jon-Laptop 2.6.32.11-99.fc12.i686.PAE #1 SMP
                              Mon Apr 5 16:15:03 EDT 2010 i686 i686
Alert Count                   4
First Seen                    Thu 06 May 2010 17:57:57 BST
Last Seen                     Thu 06 May 2010 18:03:59 BST
Local ID                      0e8c71c0-3a5f-41e2-8662-4c49266bfd6b
Line Numbers                  

Raw Audit Messages            

node=Jon-Laptop type=AVC msg=audit(1273165439.137:36): avc:  denied  { execmod } for  pid=9785 comm="googleearth-bin" path="/opt/google-earth/libminizip.so" dev=sda8 ino=920953 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

node=Jon-Laptop type=SYSCALL msg=audit(1273165439.137:36): arch=40000003 syscall=125 success=no exit=-13 a0=7fe000 a1=6000 a2=5 a3=bfee0db0 items=0 ppid=1 pid=9785 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="googleearth-bin" exe="/opt/google-earth/googleearth-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

------

I have the following policy versions:

selinux-policy-3.6.32-113.fc12.noarch
selinux-policy-targeted-3.6.32-113.fc12.noarch

Comment 1 Daniel Walsh 2010-05-06 19:26:29 UTC
# restorecon -R -v /opt/google-earth

Should fix

Or you can turn this check off altogether with 

# setsebool -P allow_execmod =1

Comment 2 Jonathan Pritchard 2010-05-06 19:42:44 UTC
Thank you Daniel. Sorry if this wasn't a bug but thank you for your help.


Note You need to log in before you can comment on or make changes to this bug.