Description of problem: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. Version-Release number of selected component (if applicable): selinux-policy-3.9.16-37.fc15 How reproducible: Start Google Chrome Steps to Reproduce: 1.Start Google Chrome 2. 3. Actual results: selinux prevents Chrome from starting Expected results: Additional info: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde32 Source RPM Packages google-chrome-beta-14.0.835.35-96116 Target RPM Packages google-chrome-beta-14.0.835.35-96116 Policy RPM selinux-policy-3.9.16-37.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde32 Platform Linux fedora15kde32 2.6.40-4.fc15.i686.PAE #1 SMP Fri Jul 29 18:47:58 UTC 2011 i686 i686 Alert Count 2 First Seen Thu 11 Aug 2011 11:01:48 PM EDT Last Seen Thu 11 Aug 2011 11:04:51 PM EDT Local ID fba2eabc-ee92-4fc1-8f8d-6a8ca374a57e This started after updating to Chrome version google-chrome-beta-14.0.835.35-96116 Since I've never had a problem starting Google Chrome with selinux enforcing before, and, because I don't know what plugin allow_execmod does, I'm filing it as a bug. Obviously something has changed in this version of Chrome and I don't want to allow access without reporting this problem first.
Please inlcude the AVC data?
Sorry, I thought I copied the whole thing: Raw Audit Messages type=AVC msg=audit(1313201544.117:85): avc: denied { execmod } for pid=2527 comm="chrome" path="/opt/google/chrome/chrome" dev=sda2 ino=6291521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1313201544.117:85): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4684000 a1=31e9000 a2=5 a3=bfad2be0 items=0 ppid=0 pid=2527 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow
It is very strange to see an executable requiring execmod privs, these are usually shared libraries. Miroslav I added the allow rules for this to F16. execmem_execmod(chrome_sandbox_t)
*** Bug 730406 has been marked as a duplicate of this bug. ***
Will the rule be added to F15, or should I manually adjust it? Have you determined the reason for the AVC error yet?
Yes, added to selinux-policy-3.9.16-39.fc15
Has the updated selinux-policy-3.9.16-39.fc15 been deployed? It hasn't shown up on my up to date Fedora 15 box yet. I still have selinux-policy-3.9.16-35.fc15. I got a couple of update batches with dozens of packages since selinux-policy was fixed, but not selinux-policy-3.9.16-39.fc15
selinux-policy-3.9.16-38.fc15 is is testing now, so you fix will be in the next testing push.
Created attachment 521356 [details] SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386 FYI, I am having the same problem on Fedora 14. SELinux problem report attached.
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback).
I've got the latest update installed, but it's not fixed for me at least, I'm still getting a denial.
What denial?
I'm getting this AVC denial : SELinux is preventing /opt/google/chrome/chrome from execmod access on the fichier /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confiance) suggéré************************** Sivous souhaitez autoriser chrome à accéder à execmod sur chrome file Alorsyou need to change the label on '/opt/google/chrome/chrome' Faire # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confiance) suggéré******************************* Siyou believe that chrome should be allowed execmod access on the chrome file by default. Alorsyou should report this as a bug. You can generate a local policy module to allow this access. Faire allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Contexte source unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Contexte cible system_u:object_r:execmem_exec_t:s0 Objets du contexte /opt/google/chrome/chrome [ file ] Source chrome Chemin de la source /opt/google/chrome/chrome Port <Inconnu> Hôte eeepc Paquetages RPM source google-chrome-stable-14.0.835.163-101024 Paquetages RPM cible google-chrome-stable-14.0.835.163-101024 RPM de la statégie selinux-policy-3.9.16-39.fc15 Selinux activé True Type de stratégie targeted Mode strict Enforcing Nom de l'hôte eeepc Plateforme Linux eeepc 2.6.40.4-5.fc15.i686 #1 SMP Tue Aug 30 14:54:41 UTC 2011 i686 i686 Compteur d'alertes 1 Première alerte sam. 17 sept. 2011 14:23:04 CEST Dernière alerte sam. 17 sept. 2011 14:23:04 CEST ID local 5ae8a748-7773-4b37-8e65-44f8563e73db Messages d'audit bruts type=AVC msg=audit(1316262184.284:757): avc: denied { execmod } for pid=8910 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=1053844 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316262184.284:757): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4702000 a1=31fd000 a2=5 a3=bfa4af50 items=0 ppid=0 pid=8910 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=15 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod;
I believe this is fixed in the latest policy. yum -y update selinux-policy --enablerepo=updates-testing
I don't think the latest version quite fixes this completely. I updated to the version in updates-testing: # rpm -q selinux-policy selinux-policy-3.9.16-39.fc15.noarch but I still get a related AVC denial when trying to launch chrome: # ausearch -m AVC -ts recent ---- time->Mon Sep 19 13:50:54 2011 type=SYSCALL msg=audit(1316454654.308:68): arch=40000003 syscall=125 success=no exit=-13 a0=b4513000 a1=31fd000 a2=5 a3=bffaaaa0 items=0 ppid=0 pid=2281 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316454654.308:68): avc: denied { execmod } for pid=2281 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file ----
Could you try to install the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146
Still looks very similar with the -40 package from koji: Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host cmarcant-linuxbook Source RPM Packages google-chrome-stable-14.0.835.163-101024 Target RPM Packages google-chrome-stable-14.0.835.163-101024 Policy RPM selinux-policy-3.9.16-40.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <redacted> Platform Linux <redacted> 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 15 First Seen Mon 19 Sep 2011 01:09:29 PM EDT Last Seen Tue 20 Sep 2011 08:28:56 AM EDT Local ID 2c6839da-9c53-4b8f-b360-c5b4aa89edfa Raw Audit Messages type=AVC msg=audit(1316521736.390:1035): avc: denied { execmod } for pid=18845 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316521736.390:1035): arch=i386 syscall=mprotect success=no exit=EACCES a0=b465e000 a1=31fd000 a2=5 a3=bfa4b800 items=0 ppid=0 pid=18845 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
I did a brand new f15 install today with selinux-policy-3.9.16-39.fc15 and I'm still having the same problem. SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host kazuya Source RPM Packages google-chrome-stable-14.0.835.202-103287 Target RPM Packages google-chrome-stable-14.0.835.202-103287 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name kazuya Platform Linux kazuya 2.6.40.6-0.fc15.i686.PAE #1 SMP Tue Oct 4 00:44:38 UTC 2011 i686 i686 Alert Count 1 First Seen Thu 06 Oct 2011 05:47:07 PM PDT Last Seen Thu 06 Oct 2011 05:47:07 PM PDT Local ID de8da826-2bdc-4df4-a988-48f626b061a5 Raw Audit Messages type=AVC msg=audit(1317948427.878:61): avc: denied { execmod } for pid=2581 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=2105964 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1317948427.878:61): arch=i386 syscall=mprotect success=no exit=EACCES a0=b451c000 a1=31ff000 a2=5 a3=bfcbeab0 items=0 ppid=0 pid=2581 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod;
Could you try to install the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146 It was closed by Update System.
And what's the command I need to run to install that latest policy from koji?
# su -c 'rpm -Uvh http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.9.16/42.fc15/noarch/selinux-policy-3.9.16-42.fc15.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.9.16/42.fc15/noarch/selinux-policy-targeted-3.9.16-42.fc15.noarch.rpm'
Thanks Miroslav. That works.
Previous package from koji (3.9.16-40.fc15) did not solve this issue for me. However, the latest package posted and linked above in Comment 23 (3.9.16-42.fc15) does seem to be working for me. I don't see any more AVC denials related to this BZ after upgrading to that.
3.9.16-42 worked for me too.
I too couldn't get it working until I applied the RPMs in Comment 23. (Maybe I misunderstood something, but I couldn't use the command-line as written; I had to download the RPMs and install them from local files.)
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.