Bug 735786 - SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.
Summary: SELinux is preventing /opt/google/chrome/chrome from execmod access on the fi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 730179
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-05 11:44 UTC by Miroslav Grepl
Modified: 2011-10-30 00:34 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.9.7-46.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of: 730179
Environment:
Last Closed: 2011-10-30 00:34:29 UTC


Attachments (Terms of Use)

Description Miroslav Grepl 2011-09-05 11:44:29 UTC
+++ This bug was initially created as a clone of Bug #730179 +++

Description of problem:
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-37.fc15

How reproducible:
Start Google Chrome

Steps to Reproduce:
1.Start Google Chrome
2.
3.
  
Actual results:
selinux prevents Chrome from starting

Expected results:


Additional info:
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde32
Source RPM Packages           google-chrome-beta-14.0.835.35-96116
Target RPM Packages           google-chrome-beta-14.0.835.35-96116
Policy RPM                    selinux-policy-3.9.16-37.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde32
Platform                      Linux fedora15kde32 2.6.40-4.fc15.i686.PAE #1 SMP
                              Fri Jul 29 18:47:58 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Thu 11 Aug 2011 11:01:48 PM EDT
Last Seen                     Thu 11 Aug 2011 11:04:51 PM EDT
Local ID                      fba2eabc-ee92-4fc1-8f8d-6a8ca374a57e


This started after updating to Chrome version google-chrome-beta-14.0.835.35-96116

Since I've never had a problem starting Google Chrome with selinux enforcing before, and, because I don't know what plugin allow_execmod does, I'm filing it as a bug.  Obviously something has changed in this version of Chrome and I don't want to allow access without reporting this problem first.

--- Additional comment from dwalsh@redhat.com on 2011-08-12 06:49:35 EDT ---

Please inlcude the AVC data?

--- Additional comment from GoinEasy9@linuxquestions.net on 2011-08-12 22:12:00 EDT ---

Sorry, I thought I copied the whole thing:


Raw Audit Messages
type=AVC msg=audit(1313201544.117:85): avc:  denied  { execmod } for  pid=2527 comm="chrome" path="/opt/google/chrome/chrome" dev=sda2 ino=6291521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1313201544.117:85): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4684000 a1=31e9000 a2=5 a3=bfad2be0 items=0 ppid=0 pid=2527 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

--- Additional comment from dwalsh@redhat.com on 2011-08-15 07:19:42 EDT ---

It is very strange to see an executable requiring execmod privs, these are usually shared libraries.

Miroslav I added the allow rules for this to F16.

	execmem_execmod(chrome_sandbox_t)

--- Additional comment from dwalsh@redhat.com on 2011-08-15 07:24:06 EDT ---

*** Bug 730406 has been marked as a duplicate of this bug. ***

--- Additional comment from GoinEasy9@linuxquestions.net on 2011-08-18 03:04:02 EDT ---

Will the rule be added to F15, or should I manually adjust it?  Have you determined the reason for the AVC error yet?

--- Additional comment from mgrepl@redhat.com on 2011-08-22 06:25:19 EDT ---

Yes, added to selinux-policy-3.9.16-39.fc15

--- Additional comment from amoroso@mclink.it on 2011-08-31 04:29:01 EDT ---

Has the updated selinux-policy-3.9.16-39.fc15 been deployed? It hasn't shown up on my up to date Fedora 15 box yet. I still have selinux-policy-3.9.16-35.fc15. I got a couple of update batches with dozens of packages since selinux-policy was fixed, but not selinux-policy-3.9.16-39.fc15

--- Additional comment from dwalsh@redhat.com on 2011-08-31 10:29:52 EDT ---

selinux-policy-3.9.16-38.fc15 is is testing now, so you fix will be in the next testing push.

--- Additional comment from beland@alum.mit.edu on 2011-09-03 23:55:18 EDT ---

Created attachment 521356 [details]
SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386

FYI, I am having the same problem on Fedora 14.  SELinux problem report attached.

Comment 1 GoinEasy9 2011-09-21 19:32:18 UTC
I was the original poster on Bug #730179.  While using semanage and restorecom and eventual updates to selinux-policy worked to fix most of my Fedora 15 installs, I'm still unable to bring up Chrome on one of my laptops.  The error message is the same, so I will post it here:

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           google-chrome-beta-14.0.835.186-101821
Target RPM Packages           google-chrome-beta-14.0.835.186-101821
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   10
First Seen                    Sun 11 Sep 2011 12:45:21 PM EDT
Last Seen                     Wed 21 Sep 2011 03:05:02 PM EDT
Local ID                      dcb35aff-6145-4031-99ea-97a498cda60f

Raw Audit Messages
type=AVC msg=audit(1316631902.906:72): avc:  denied  { execmod } for  pid=3233 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1316631902.906:72): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4549000 a1=31fd000 a2=5 a3=bfaaf2f0 items=0 ppid=0 pid=3233 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

I have tried for manually fix this install for a while now, but, it is getting frustrating.  I do not have the knowledge of selinux to dig deeper into the problem.  This is what happens when I try ti fix it manually using the solution in the AVC troubleshooter details.

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory).
/usr/sbin/semanage: Could not test MLS enabled status

There is no file policy.kern in folder /etc/selinux/targeted/modules/active/.  I checked and it is not present in my working main install either.

So I try:

# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!

There is no /tmp/base.pp in /etc/selinux/targeted/modules/  although, since it's a tmp file, I wasn't expecting to find it after the fact.

So that's where I am. I tried removing and reinstalling Chrome with the same results.  I also tried turning off selinux and then re-enabling it, letting it reassign as it rebooted with the same result.  Help please.

Comment 2 Daniel Walsh 2011-09-21 19:47:18 UTC
This looks like you /etc/selinux/targeted directories have been corrupted somehow.

Try

yum reinstall selinux-policy-targeted

To see if this fixes the problem.

Comment 3 GoinEasy9 2011-09-23 02:53:45 UTC
Thank you for the response.  I tried reinstalling.  Result failed.

Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : selinux-policy-targeted-3.9.16-39.fc15.noarch 
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.24. (No such file or directory).
semodule:  Failed!

Installed:
selinux-policy-targeted.noarch 0:3.9.16-39.fc15

Complete!

There is a file policy.24 in /etc/selinux/targeted/policy/

Thanks for your help.

Comment 4 Daniel Walsh 2011-09-23 19:07:15 UTC
I can't tell from your message above are you all set now or still broken?

Comment 5 GoinEasy9 2011-09-23 20:17:30 UTC
Still broken:

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           google-chrome-beta-14.0.835.186-101821
Target RPM Packages           google-chrome-beta-14.0.835.186-101821
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   11
First Seen                    Sun 11 Sep 2011 12:45:21 PM EDT
Last Seen                     Fri 23 Sep 2011 04:03:11 PM EDT
Local ID                      dcb35aff-6145-4031-99ea-97a498cda60f

Raw Audit Messages
type=AVC msg=audit(1316808191.697:95): avc:  denied  { execmod } for  pid=7789 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1316808191.697:95): arch=i386 syscall=mprotect success=no exit=EACCES a0=b45e4000 a1=31fd000 a2=5 a3=bfbfcf30 items=0 ppid=0 pid=7789 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

Then when trying the fix:

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory).
/usr/sbin/semanage: Could not test MLS enabled status

Or when trying the temporary fix:

# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp
# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!

I see where the confusion comes in, it does say Installed and Complete, but it does say the commands failed.  The only AVC error comes when trying to start chrome.

Comment 6 Daniel Walsh 2011-09-23 21:05:54 UTC
Ok Not sure how this machine got screwed up but execute the following



# setenforce 0
# rm -rf /etc/selinux/targeted
# yum -y reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux/targeted
# setenforce 1

And you should be good to go with the latest policy.

Comment 7 Miroslav Grepl 2011-09-26 08:54:54 UTC
I also added a fix for AVC which you see.

Comment 8 GoinEasy9 2011-09-27 16:03:37 UTC
Well, there must be something very strange going on here.  I used the commands:
# setenforce 0
# rm -rf /etc/selinux/targeted
# yum -y reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux/targeted
# setenforce 1

All finished successfully:  Tried to open chrome, which is now on Beta 15, and, once again, the AVC error.

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

*****  Plugin allow_execmod (91.4 confidence) suggests  **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:execmem_exec_t:s0
Target Objects                /opt/google/chrome/chrome [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           google-chrome-beta-15.0.874.21-101896
Target RPM Packages           google-chrome-beta-15.0.874.21-101896
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   14
First Seen                    Sun 11 Sep 2011 12:45:21 PM EDT
Last Seen                     Tue 27 Sep 2011 11:45:57 AM EDT
Local ID                      dcb35aff-6145-4031-99ea-97a498cda60f

Raw Audit Messages
type=AVC msg=audit(1317138357.861:51): avc:  denied  { execmod } for  pid=2172 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=934907 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1317138357.861:51): arch=i386 syscall=mprotect success=no exit=EACCES a0=b43c7000 a1=3372000 a2=5 a3=bfa3f560 items=0 ppid=0 pid=2172 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;



And then trying to use the work around, I got the same error as before:

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory).
usr/sbin/semanage: Could not test MLS enabled status

Any other suggestions?  Can selinux be totally wiped and then reinstalled?

Comment 9 Fedora Update System 2011-10-20 11:58:31 UTC
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14

Comment 10 Fedora Update System 2011-10-22 08:21:48 UTC
Package selinux-policy-3.9.7-46.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14734
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2011-10-30 00:34:29 UTC
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.