SELinux is preventing /opt/google/chrome/chrome from 'execute_no_trans' accesses on the file /opt/google/chrome/nacl_helper_bootstrap. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /opt/google/chrome/nacl_helper_bootstrap default label should be usr_t. Then you can run restorecon. Do # /sbin/restorecon -v /opt/google/chrome/nacl_helper_bootstrap ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that chrome should be allowed execute_no_trans access on the nacl_helper_bootstrap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:chrome_sandbox_exec_t:s0 Target Objects /opt/google/chrome/nacl_helper_bootstrap [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-beta-15.0.874.51-102895 Target RPM Packages google-chrome-beta-15.0.874.51-102895 Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 28 Sep 2011 06:05:11 AM CDT Last Seen Wed 28 Sep 2011 06:05:11 AM CDT Local ID 47d48e8c-ac30-4523-a71b-1dff57c8b356 Raw Audit Messages type=AVC msg=audit(1317207911.326:95): avc: denied { execute_no_trans } for pid=2388 comm="chrome" path="/opt/google/chrome/nacl_helper_bootstrap" dev=dm-1 ino=2097218 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chrome_sandbox_exec_t:s0 tclass=file type=SYSCALL msg=audit(1317207911.326:95): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fa9814cb928 a1=7fa9814e0ea0 a2=7fffbc44c660 a3=7fffbc449860 items=0 ppid=1 pid=2388 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,chrome_sandbox_exec_t,file,execute_no_trans audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t chrome_sandbox_exec_t:file execute_no_trans; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t chrome_sandbox_exec_t:file execute_no_trans;
This looks like you changed the context to chrome_sandbox_exec_t, it should probably be bin_t. Are there other executables in this directory? chcon -t bin_t /opt/google/chrome/nacl_helper_bootstrap Should fix the problem
That did not fix it. It seems odd that the SELinux error refers to "nacl_helper_boo" when the full name of the fill is "nacl_helper_bootstrap". In any case the above suggestion did not work. I started to get this error last night when a new Google Chrome Beta (v15) was pushed out/updated. I removed and installed the unstable version of Google Chrome (v16) and it still happens. After following the suggested comment in the SELinux troubleshooting tool it's working now without the annoying error. I'm not sure why it started in the first place though; is it a Chrome bug or a SELinux bug? ----- SELinux is preventing nacl_helper_boo from mmap_zero access on the memprotect Unknown. Plugin: catchall you want to allow nacl_helper_boo to have mmap_zero access on the Unknown memprotectIf you believe that nacl_helper_boo should be allowed mmap_zero access on the Unknown memprotect by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep nacl_helper_boo /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Well it did fix it, in order to get it to move further down the food chain. We will not allow mmap_zero since this is a very dangerous access. You will need to take this up with the chrome people. http://eparis.livejournal.com/ Explains a little bit of the problem with mmap_zero. this is something chrome should definitely not need especially within a sandboxed application. If you want SELinux to just stop blocking chrome execution, you can execute setsebool -P unconfined_chrome_sandbox_transition 0 Which will just allow chrome sandbox to run without SELinux confinement. You never answered my questions about binaries in that directory? Oh the shortened name actually comes from the kernel, that is the name the kernel told us, I think the kernel has a max length that it will report in an AVC.
See https://bugzilla.redhat.com/show_bug.cgi?id=743325#c2 As to the question about /opt/google/chrome/, these executable files reside there: /opt/google/chrome/chrome /opt/google/chrome/chrome-sandbox /opt/google/chrome/nacl_helper_bootstrap /opt/google/chrome/google-chrome /opt/google/chrome/xdg-mime /opt/google/chrome/xdg-settings The latter three are shell scripts, the former three are binaries. (I omitted /opt/google/chrome/nacl_helper, which is a PIE and has its execute bit set, but is not actually directly executed, it's loaded by nacl_helper_bootstrap--so it is effectively treated as a DSO from the kernel perspective.)
Labeled all files in this directory as bin_t, turned on chrome-sandbox transition by default and dontaudit mmap_zero. Fixed in selinux-policy-3.10.0-40.fc16
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.