Bug 730179 - SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.
Summary: SELinux is preventing /opt/google/chrome/chrome from execmod access on the fi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 730406 (view as bug list)
Depends On:
Blocks: 735786
TreeView+ depends on / blocked
 
Reported: 2011-08-12 03:19 UTC by GoinEasy9
Modified: 2011-12-04 02:34 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.9.16-48.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 735786 (view as bug list)
Environment:
Last Closed: 2011-12-04 02:34:02 UTC


Attachments (Terms of Use)
SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386 (3.44 KB, text/xml)
2011-09-04 03:55 UTC, Christopher Beland
no flags Details

Description GoinEasy9 2011-08-12 03:19:00 UTC
Description of problem:
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-37.fc15

How reproducible:
Start Google Chrome

Steps to Reproduce:
1.Start Google Chrome
2.
3.
  
Actual results:
selinux prevents Chrome from starting

Expected results:


Additional info:
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde32
Source RPM Packages           google-chrome-beta-14.0.835.35-96116
Target RPM Packages           google-chrome-beta-14.0.835.35-96116
Policy RPM                    selinux-policy-3.9.16-37.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde32
Platform                      Linux fedora15kde32 2.6.40-4.fc15.i686.PAE #1 SMP
                              Fri Jul 29 18:47:58 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Thu 11 Aug 2011 11:01:48 PM EDT
Last Seen                     Thu 11 Aug 2011 11:04:51 PM EDT
Local ID                      fba2eabc-ee92-4fc1-8f8d-6a8ca374a57e


This started after updating to Chrome version google-chrome-beta-14.0.835.35-96116

Since I've never had a problem starting Google Chrome with selinux enforcing before, and, because I don't know what plugin allow_execmod does, I'm filing it as a bug.  Obviously something has changed in this version of Chrome and I don't want to allow access without reporting this problem first.

Comment 1 Daniel Walsh 2011-08-12 10:49:35 UTC
Please inlcude the AVC data?

Comment 2 GoinEasy9 2011-08-13 02:12:00 UTC
Sorry, I thought I copied the whole thing:


Raw Audit Messages
type=AVC msg=audit(1313201544.117:85): avc:  denied  { execmod } for  pid=2527 comm="chrome" path="/opt/google/chrome/chrome" dev=sda2 ino=6291521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1313201544.117:85): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4684000 a1=31e9000 a2=5 a3=bfad2be0 items=0 ppid=0 pid=2527 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

Comment 3 Daniel Walsh 2011-08-15 11:19:42 UTC
It is very strange to see an executable requiring execmod privs, these are usually shared libraries.

Miroslav I added the allow rules for this to F16.

	execmem_execmod(chrome_sandbox_t)

Comment 4 Daniel Walsh 2011-08-15 11:24:06 UTC
*** Bug 730406 has been marked as a duplicate of this bug. ***

Comment 5 GoinEasy9 2011-08-18 07:04:02 UTC
Will the rule be added to F15, or should I manually adjust it?  Have you determined the reason for the AVC error yet?

Comment 6 Miroslav Grepl 2011-08-22 10:25:19 UTC
Yes, added to selinux-policy-3.9.16-39.fc15

Comment 7 Paolo Amoroso 2011-08-31 08:29:01 UTC
Has the updated selinux-policy-3.9.16-39.fc15 been deployed? It hasn't shown up on my up to date Fedora 15 box yet. I still have selinux-policy-3.9.16-35.fc15. I got a couple of update batches with dozens of packages since selinux-policy was fixed, but not selinux-policy-3.9.16-39.fc15

Comment 8 Daniel Walsh 2011-08-31 14:29:52 UTC
selinux-policy-3.9.16-38.fc15 is is testing now, so you fix will be in the next testing push.

Comment 9 Christopher Beland 2011-09-04 03:55:18 UTC
Created attachment 521356 [details]
SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386

FYI, I am having the same problem on Fedora 14.  SELinux problem report attached.

Comment 10 Fedora Update System 2011-09-08 08:11:47 UTC
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15

Comment 11 Fedora Update System 2011-09-09 05:28:02 UTC
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).

Comment 12 Julien Humbert 2011-09-16 19:20:10 UTC
I've got the latest update installed, but it's not fixed for me at least, I'm still getting a denial.

Comment 13 Daniel Walsh 2011-09-17 02:43:15 UTC
What denial?

Comment 14 Julien Humbert 2011-09-17 12:27:55 UTC
I'm getting this AVC denial :

SELinux is preventing /opt/google/chrome/chrome from execmod access on the fichier /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confiance) suggéré**************************

Sivous souhaitez autoriser chrome à accéder à execmod sur chrome file
Alorsyou need to change the label on '/opt/google/chrome/chrome'
Faire
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confiance) suggéré*******************************

Siyou believe that chrome should be allowed execmod access on the chrome file by default.
Alorsyou should report this as a bug.
You can generate a local policy module to allow this access.
Faire
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Contexte source               unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Contexte cible                system_u:object_r:execmem_exec_t:s0
Objets du contexte            /opt/google/chrome/chrome [ file ]
Source                        chrome
Chemin de la source           /opt/google/chrome/chrome
Port                          <Inconnu>
Hôte                          eeepc
Paquetages RPM source         google-chrome-stable-14.0.835.163-101024
Paquetages RPM cible          google-chrome-stable-14.0.835.163-101024
RPM de la statégie            selinux-policy-3.9.16-39.fc15
Selinux activé                True
Type de stratégie             targeted
Mode strict                   Enforcing
Nom de l'hôte                 eeepc
Plateforme                    Linux eeepc 2.6.40.4-5.fc15.i686 #1 SMP Tue Aug 30
                              14:54:41 UTC 2011 i686 i686
Compteur d'alertes            1
Première alerte               sam. 17 sept. 2011 14:23:04 CEST
Dernière alerte               sam. 17 sept. 2011 14:23:04 CEST
ID local                      5ae8a748-7773-4b37-8e65-44f8563e73db

Messages d'audit bruts 
type=AVC msg=audit(1316262184.284:757): avc:  denied  { execmod } for  pid=8910 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=1053844 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1316262184.284:757): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4702000 a1=31fd000 a2=5 a3=bfa4af50 items=0 ppid=0 pid=8910 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=15 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

Comment 15 Daniel Walsh 2011-09-19 15:42:32 UTC
I believe this is fixed in the latest policy.

yum -y update selinux-policy --enablerepo=updates-testing

Comment 16 Chris Marcantonio 2011-09-19 18:00:21 UTC
I don't think the latest version quite fixes this completely.  I updated to the version in updates-testing:

# rpm -q selinux-policy
selinux-policy-3.9.16-39.fc15.noarch

but I still get a related AVC denial when trying to launch chrome:

# ausearch -m AVC -ts recent
----
time->Mon Sep 19 13:50:54 2011
type=SYSCALL msg=audit(1316454654.308:68): arch=40000003 syscall=125 success=no exit=-13 a0=b4513000 a1=31fd000 a2=5 a3=bffaaaa0 items=0 ppid=0 pid=2281 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1316454654.308:68): avc:  denied  { execmod } for  pid=2281 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
----

Comment 17 Miroslav Grepl 2011-09-20 11:23:34 UTC
Could you try to install the latest policy from koji


http://koji.fedoraproject.org/koji/buildinfo?buildID=263146

Comment 18 Chris Marcantonio 2011-09-20 14:04:14 UTC
Still looks very similar with the -40 package from koji:

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          cmarcant-linuxbook
Source RPM Packages           google-chrome-stable-14.0.835.163-101024
Target RPM Packages           google-chrome-stable-14.0.835.163-101024
Policy RPM                    selinux-policy-3.9.16-40.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <redacted>
Platform                      Linux <redacted> 2.6.40.4-5.fc15.i686.PAE
                              #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   15
First Seen                    Mon 19 Sep 2011 01:09:29 PM EDT
Last Seen                     Tue 20 Sep 2011 08:28:56 AM EDT
Local ID                      2c6839da-9c53-4b8f-b360-c5b4aa89edfa

Raw Audit Messages
type=AVC msg=audit(1316521736.390:1035): avc:  denied  { execmod } for  pid=18845 comm="chrome" path="/opt/google/chrome/chrome" dev=sda3 ino=2890167 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1316521736.390:1035): arch=i386 syscall=mprotect success=no exit=EACCES a0=b465e000 a1=31fd000 a2=5 a3=bfa4b800 items=0 ppid=0 pid=18845 auid=32034 uid=32034 gid=30 euid=32034 suid=32034 fsuid=32034 egid=30 sgid=30 fsgid=30 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

Comment 19 Fedora Update System 2011-10-06 00:02:14 UTC
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Jacob Church 2011-10-07 00:59:21 UTC
I did a brand new f15 install today with selinux-policy-3.9.16-39.fc15 and I'm still having the same problem.

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          kazuya
Source RPM Packages           google-chrome-stable-14.0.835.202-103287
Target RPM Packages           google-chrome-stable-14.0.835.202-103287
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     kazuya
Platform                      Linux kazuya 2.6.40.6-0.fc15.i686.PAE #1 SMP Tue
                              Oct 4 00:44:38 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Thu 06 Oct 2011 05:47:07 PM PDT
Last Seen                     Thu 06 Oct 2011 05:47:07 PM PDT
Local ID                      de8da826-2bdc-4df4-a988-48f626b061a5

Raw Audit Messages
type=AVC msg=audit(1317948427.878:61): avc:  denied  { execmod } for  pid=2581 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=2105964 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1317948427.878:61): arch=i386 syscall=mprotect success=no exit=EACCES a0=b451c000 a1=31ff000 a2=5 a3=bfcbeab0 items=0 ppid=0 pid=2581 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

Comment 21 Miroslav Grepl 2011-10-07 07:14:10 UTC
Could you try to install the latest policy from koji


http://koji.fedoraproject.org/koji/buildinfo?buildID=263146

It was closed by Update System.

Comment 22 Daniel 2011-10-07 11:36:16 UTC
And what's the command I need to run to install that latest policy from koji?

Comment 24 Daniel 2011-10-07 13:31:35 UTC
Thanks Miroslav. That works.

Comment 25 Chris Marcantonio 2011-10-07 17:16:57 UTC
Previous package from koji (3.9.16-40.fc15) did not solve this issue for me.

However, the latest package posted and linked above in Comment 23 (3.9.16-42.fc15) does seem to be working for me.  I don't see any more AVC denials related to this BZ after upgrading to that.

Comment 26 Jacob Church 2011-10-08 22:21:41 UTC
3.9.16-42 worked for me too.

Comment 27 Jim Nelson 2011-10-10 22:21:32 UTC
I too couldn't get it working until I applied the RPMs in Comment 23.  (Maybe I misunderstood something, but I couldn't use the command-line as written; I had to download the RPMs and install them from local files.)

Comment 28 Fedora Update System 2011-11-16 16:15:59 UTC
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Comment 29 Fedora Update System 2011-11-17 23:34:26 UTC
Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

Comment 30 Fedora Update System 2011-12-04 02:34:02 UTC
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.