SELinux is preventing /opt/google/chrome/chrome from 'execute' accesses on the file /opt/google/chrome/nacl_helper_bootstrap. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow chrome to have execute access on the nacl_helper_bootstrap file Then you need to change the label on /opt/google/chrome/nacl_helper_bootstrap Do # semanage fcontext -a -t FILE_TYPE '/opt/google/chrome/nacl_helper_bootstrap' where FILE_TYPE is one of the following: textrel_shlib_t, execmem_exec_t, lib_t, chrome_sandbox_exec_t, bin_t, abrt_helper_exec_t, ld_so_t, user_tmpfs_t. Then execute: restorecon -v '/opt/google/chrome/nacl_helper_bootstrap' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that chrome should be allowed execute access on the nacl_helper_bootstrap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /opt/google/chrome/nacl_helper_bootstrap [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-unstable-16.0.891.0-102650 Target RPM Packages google-chrome-unstable-16.0.891.0-102650 Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.3-0.fc15.x86_64 #1 SMP Tue Aug 16 04:10:59 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 26 Sep 2011 10:44:27 PM EDT Last Seen Mon 26 Sep 2011 10:44:27 PM EDT Local ID 981b682a-f34e-409e-88d5-c201e6050146 Raw Audit Messages type=AVC msg=audit(1317091467.232:5039): avc: denied { execute } for pid=15196 comm="chrome" name="nacl_helper_bootstrap" dev=dm-2 ino=393920 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1317091467.232:5039): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f5de1d4f6a8 a1=7f5de1d7c900 a2=7fff05e654f0 a3=7fff05e626f0 items=0 ppid=1 pid=15196 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,usr_t,file,execute audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t usr_t:file execute; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t usr_t:file execute;
Can you tell us if there are other executables under /opt/google/chrome ls -l /opt/google/chrome Miroslav I think we should just add files_exec_usr_files(chrome_sandbox_t)
I am using Fedora 15 and this problem occurs with google-chrome-beta and google-chrome-unstable. ls -l /opt/google/chrome | grep ^.r.x -rwxr-xr-x. 1 root root 62758368 Sep 24 11:51 chrome -rwxr-xr-x. 1 root root 1667 Sep 24 11:51 google-chrome lrwxrwxrwx. 1 root root 18 Sep 28 21:56 libbz2.so.1.0 -> /lib64/libbz2.so.1 lrwxrwxrwx. 1 root root 18 Sep 28 21:56 libnspr4.so.0d -> /lib64/libnspr4.so lrwxrwxrwx. 1 root root 21 Sep 28 21:56 libnss3.so.1d -> /usr/lib64/libnss3.so lrwxrwxrwx. 1 root root 25 Sep 28 21:56 libnssutil3.so.1d -> /usr/lib64/libnssutil3.so lrwxrwxrwx. 1 root root 17 Sep 28 21:56 libplc4.so.0d -> /lib64/libplc4.so lrwxrwxrwx. 1 root root 18 Sep 28 21:56 libplds4.so.0d -> /lib64/libplds4.so lrwxrwxrwx. 1 root root 23 Sep 28 21:56 libsmime3.so.1d -> /usr/lib64/libsmime3.so lrwxrwxrwx. 1 root root 21 Sep 28 21:56 libssl3.so.1d -> /usr/lib64/libssl3.so drwxr-xr-x. 2 root root 4096 Sep 28 21:56 locales -rwxr-xr-x. 1 root root 752464 Sep 24 11:51 nacl_helper -rwxr-xr-x. 1 root root 70136 Sep 24 11:51 nacl_helper_bootstrap -rwxr-xr-x. 1 root root 37394 Sep 24 11:51 xdg-mime -rwxr-xr-x. 1 root root 33273 Sep 24 11:51 xdg-settings
Fixed in selinux-policy-3.9.16-43.fc15
This is still happening on F16 with: $ rpm -qi selinux-policy Name : selinux-policy Version : 3.10.0 Release : 32.fc16 Architecture: noarch
(In reply to comment #3) > Fixed in selinux-policy-3.9.16-43.fc15 I was hoping to test/use the fix but i can't find the version specified anywhere in koji and i can't find it in git either so i can't even do a local build. Any chance of this being made available in either of those locations? Thanks
do like flow: su root sudo grep chrome /var/log/audit/audit.log | audit2allow -M mypol sudo semodule -i mypol.pp in my machine,it works. but i know it's not the best solution..
chcon -t bin_t /opt/google/chrome/nacl_helper_bootstrap Should allow /opt/google/chrome/chrome to execute /opt/google/chrome/nacl_helper_bootstrap
This is fixed in the latest F16 build also.
See https://bugzilla.redhat.com/show_bug.cgi?id=743325#c2
I just got this message after an update to Chrome Stable 15.0.874.102 2.6.35.14-97.fc14.x86_64 Message details: SELinux is preventing /opt/google/chrome/chrome from execute access on the file nacl_helper_bootstrap. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow chrome to have execute access on the nacl_helper_bootstrap file Then you need to change the label on nacl_helper_bootstrap Do # semanage fcontext -a -t FILE_TYPE 'nacl_helper_bootstrap' where FILE_TYPE is one of the following: execmem_exec_t, lib_t, abrt_helper_exec_t, ld_so_t, chrome_sandbox_exec_t, bin_t, textrel_shlib_t. Then execute: restorecon -v 'nacl_helper_bootstrap' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that chrome should be allowed execute access on the nacl_helper_bootstrap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects nacl_helper_bootstrap [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host XXXXXXX Source RPM Packages google-chrome-stable-15.0.874.102-106587 Target RPM Packages Policy RPM selinux-policy-3.9.7-44.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name XXXXXXX Platform Linux XXXXXXXX 2.6.35.14-97.fc14.x86_64 #1 SMP Sat Sep 17 00:15:37 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Tue 25 Oct 2011 09:41:49 PM PDT Last Seen Tue 25 Oct 2011 09:41:49 PM PDT Local ID 3aae5d82-c6ff-4edd-b4b6-60c8e5d3a3b8 Raw Audit Messages type=AVC msg=audit(1319604109.864:39401): avc: denied { execute } for pid=3494 comm="chrome" name="nacl_helper_bootstrap" dev=dm-0 ino=275554 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1319604109.864:39401): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f534703b928 a1=7f5347050760 a2=7fff54004ba0 a3=7fff540009c0 items=0 ppid=1 pid=3494 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,usr_t,file,execute audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t usr_t:file execute; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t usr_t:file execute;
Michael, could you open a new bug for F14.
Miroslav, this has been done. See bug 749208. Thanks.
(In reply to comment #6) > do like flow: > su root > sudo grep chrome /var/log/audit/audit.log | audit2allow -M mypol > sudo semodule -i mypol.pp > > in my machine,it works. > but i know it's not the best solution.. In my system (F15 on x86_64, all the latest updates): # grep chrome /var/log/audit/audit.log | audit2allow -M chrome # semodule -i chrome.pp libsepol.print_missing_requirements: chrome's global requirements were not met: type/attribute chrome_sandbox_exec_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! What is wrong here?
You never want to name the domain with the same as the default domain. Basically you are replacing selinux-policy-targeted chrome.pp with your version. This is why we always tell people to use my prefix. # grep chrome /var/log/audit/audit.log | audit2allow -M mychrome # semodule -i mychrome.pp
(In reply to comment #14) > You never want to name the domain with the same as the default domain. > Basically you are replacing selinux-policy-targeted chrome.pp with your > version. > > This is why we always tell people to use my prefix. > > # grep chrome /var/log/audit/audit.log | audit2allow -M mychrome > > # semodule -i mychrome.pp Thanks! That explains it.
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.