+++ This bug was initially created as a clone of Bug #730179 +++ Description of problem: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. Version-Release number of selected component (if applicable): selinux-policy-3.9.16-37.fc15 How reproducible: Start Google Chrome Steps to Reproduce: 1.Start Google Chrome 2. 3. Actual results: selinux prevents Chrome from starting Expected results: Additional info: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde32 Source RPM Packages google-chrome-beta-14.0.835.35-96116 Target RPM Packages google-chrome-beta-14.0.835.35-96116 Policy RPM selinux-policy-3.9.16-37.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde32 Platform Linux fedora15kde32 2.6.40-4.fc15.i686.PAE #1 SMP Fri Jul 29 18:47:58 UTC 2011 i686 i686 Alert Count 2 First Seen Thu 11 Aug 2011 11:01:48 PM EDT Last Seen Thu 11 Aug 2011 11:04:51 PM EDT Local ID fba2eabc-ee92-4fc1-8f8d-6a8ca374a57e This started after updating to Chrome version google-chrome-beta-14.0.835.35-96116 Since I've never had a problem starting Google Chrome with selinux enforcing before, and, because I don't know what plugin allow_execmod does, I'm filing it as a bug. Obviously something has changed in this version of Chrome and I don't want to allow access without reporting this problem first. --- Additional comment from dwalsh on 2011-08-12 06:49:35 EDT --- Please inlcude the AVC data? --- Additional comment from GoinEasy9 on 2011-08-12 22:12:00 EDT --- Sorry, I thought I copied the whole thing: Raw Audit Messages type=AVC msg=audit(1313201544.117:85): avc: denied { execmod } for pid=2527 comm="chrome" path="/opt/google/chrome/chrome" dev=sda2 ino=6291521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1313201544.117:85): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4684000 a1=31e9000 a2=5 a3=bfad2be0 items=0 ppid=0 pid=2527 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow --- Additional comment from dwalsh on 2011-08-15 07:19:42 EDT --- It is very strange to see an executable requiring execmod privs, these are usually shared libraries. Miroslav I added the allow rules for this to F16. execmem_execmod(chrome_sandbox_t) --- Additional comment from dwalsh on 2011-08-15 07:24:06 EDT --- *** Bug 730406 has been marked as a duplicate of this bug. *** --- Additional comment from GoinEasy9 on 2011-08-18 03:04:02 EDT --- Will the rule be added to F15, or should I manually adjust it? Have you determined the reason for the AVC error yet? --- Additional comment from mgrepl on 2011-08-22 06:25:19 EDT --- Yes, added to selinux-policy-3.9.16-39.fc15 --- Additional comment from amoroso on 2011-08-31 04:29:01 EDT --- Has the updated selinux-policy-3.9.16-39.fc15 been deployed? It hasn't shown up on my up to date Fedora 15 box yet. I still have selinux-policy-3.9.16-35.fc15. I got a couple of update batches with dozens of packages since selinux-policy was fixed, but not selinux-policy-3.9.16-39.fc15 --- Additional comment from dwalsh on 2011-08-31 10:29:52 EDT --- selinux-policy-3.9.16-38.fc15 is is testing now, so you fix will be in the next testing push. --- Additional comment from beland.edu on 2011-09-03 23:55:18 EDT --- Created attachment 521356 [details] SELinux problem report for Fedora 14 google-chrome-beta-14.0.835.126-99097.i386 FYI, I am having the same problem on Fedora 14. SELinux problem report attached.
I was the original poster on Bug #730179. While using semanage and restorecom and eventual updates to selinux-policy worked to fix most of my Fedora 15 installs, I'm still unable to bring up Chrome on one of my laptops. The error message is the same, so I will post it here: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde13 Source RPM Packages google-chrome-beta-14.0.835.186-101821 Target RPM Packages google-chrome-beta-14.0.835.186-101821 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde13 Platform Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 10 First Seen Sun 11 Sep 2011 12:45:21 PM EDT Last Seen Wed 21 Sep 2011 03:05:02 PM EDT Local ID dcb35aff-6145-4031-99ea-97a498cda60f Raw Audit Messages type=AVC msg=audit(1316631902.906:72): avc: denied { execmod } for pid=3233 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316631902.906:72): arch=i386 syscall=mprotect success=no exit=EACCES a0=b4549000 a1=31fd000 a2=5 a3=bfaaf2f0 items=0 ppid=0 pid=3233 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; I have tried for manually fix this install for a while now, but, it is getting frustrating. I do not have the knowledge of selinux to dig deeper into the problem. This is what happens when I try ti fix it manually using the solution in the AVC troubleshooter details. # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory). /usr/sbin/semanage: Could not test MLS enabled status There is no file policy.kern in folder /etc/selinux/targeted/modules/active/. I checked and it is not present in my working main install either. So I try: # semodule -i mypol.pp libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). semodule: Failed! There is no /tmp/base.pp in /etc/selinux/targeted/modules/ although, since it's a tmp file, I wasn't expecting to find it after the fact. So that's where I am. I tried removing and reinstalling Chrome with the same results. I also tried turning off selinux and then re-enabling it, letting it reassign as it rebooted with the same result. Help please.
This looks like you /etc/selinux/targeted directories have been corrupted somehow. Try yum reinstall selinux-policy-targeted To see if this fixes the problem.
Thank you for the response. I tried reinstalling. Result failed. Running Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-targeted-3.9.16-39.fc15.noarch libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.24. (No such file or directory). semodule: Failed! Installed: selinux-policy-targeted.noarch 0:3.9.16-39.fc15 Complete! There is a file policy.24 in /etc/selinux/targeted/policy/ Thanks for your help.
I can't tell from your message above are you all set now or still broken?
Still broken: SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde13 Source RPM Packages google-chrome-beta-14.0.835.186-101821 Target RPM Packages google-chrome-beta-14.0.835.186-101821 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde13 Platform Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 11 First Seen Sun 11 Sep 2011 12:45:21 PM EDT Last Seen Fri 23 Sep 2011 04:03:11 PM EDT Local ID dcb35aff-6145-4031-99ea-97a498cda60f Raw Audit Messages type=AVC msg=audit(1316808191.697:95): avc: denied { execmod } for pid=7789 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=917513 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1316808191.697:95): arch=i386 syscall=mprotect success=no exit=EACCES a0=b45e4000 a1=31fd000 a2=5 a3=bfbfcf30 items=0 ppid=0 pid=7789 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; Then when trying the fix: # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory). /usr/sbin/semanage: Could not test MLS enabled status Or when trying the temporary fix: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp # semodule -i mypol.pp libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). semodule: Failed! I see where the confusion comes in, it does say Installed and Complete, but it does say the commands failed. The only AVC error comes when trying to start chrome.
Ok Not sure how this machine got screwed up but execute the following # setenforce 0 # rm -rf /etc/selinux/targeted # yum -y reinstall selinux-policy-targeted # restorecon -R -v /etc/selinux/targeted # setenforce 1 And you should be good to go with the latest policy.
I also added a fix for AVC which you see.
Well, there must be something very strange going on here. I used the commands: # setenforce 0 # rm -rf /etc/selinux/targeted # yum -y reinstall selinux-policy-targeted # restorecon -R -v /etc/selinux/targeted # setenforce 1 All finished successfully: Tried to open chrome, which is now on Beta 15, and, once again, the AVC error. SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the chrome file Then you need to change the label on '/opt/google/chrome/chrome' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' # restorecon -v '/opt/google/chrome/chrome' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the chrome file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:execmem_exec_t:s0 Target Objects /opt/google/chrome/chrome [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host fedora15kde13 Source RPM Packages google-chrome-beta-15.0.874.21-101896 Target RPM Packages google-chrome-beta-15.0.874.21-101896 Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde13 Platform Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 14 First Seen Sun 11 Sep 2011 12:45:21 PM EDT Last Seen Tue 27 Sep 2011 11:45:57 AM EDT Local ID dcb35aff-6145-4031-99ea-97a498cda60f Raw Audit Messages type=AVC msg=audit(1317138357.861:51): avc: denied { execmod } for pid=2172 comm="chrome" path="/opt/google/chrome/chrome" dev=sda6 ino=934907 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file type=SYSCALL msg=audit(1317138357.861:51): arch=i386 syscall=mprotect success=no exit=EACCES a0=b43c7000 a1=3372000 a2=5 a3=bfa3f560 items=0 ppid=0 pid=2172 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t execmem_exec_t:file execmod; And then trying to use the work around, I got the same error as before: # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome' libsemanage.semanage_read_policydb: Could not open kernel policy /etc/selinux/targeted/modules/active/policy.kern for reading. (No such file or directory). usr/sbin/semanage: Could not test MLS enabled status Any other suggestions? Can selinux be totally wiped and then reinstalled?
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Package selinux-policy-3.9.7-46.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14734 then log in and leave karma (feedback).
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.