Bug 741893 - SELinux is preventing /opt/google/chrome/chrome from 'execute_no_trans' accesses on the file /opt/google/chrome/nacl_helper_bootstrap.
Summary: SELinux is preventing /opt/google/chrome/chrome from 'execute_no_trans' acces...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:d00aa748114...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-28 11:07 UTC by Nicholas Cancelliere
Modified: 2011-12-04 02:36 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.9.16-48.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-04 02:36:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Nicholas Cancelliere 2011-09-28 11:07:03 UTC
SELinux is preventing /opt/google/chrome/chrome from 'execute_no_trans' accesses on the file /opt/google/chrome/nacl_helper_bootstrap.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/opt/google/chrome/nacl_helper_bootstrap default label should be usr_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /opt/google/chrome/nacl_helper_bootstrap

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that chrome should be allowed execute_no_trans access on the nacl_helper_bootstrap file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:chrome_sandbox_exec_t:s0
Target Objects                /opt/google/chrome/nacl_helper_bootstrap [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           google-chrome-beta-15.0.874.51-102895
Target RPM Packages           google-chrome-beta-15.0.874.51-102895
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40.4-5.fc15.x86_64
                              #1 SMP Tue Aug 30 14:38:32 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 28 Sep 2011 06:05:11 AM CDT
Last Seen                     Wed 28 Sep 2011 06:05:11 AM CDT
Local ID                      47d48e8c-ac30-4523-a71b-1dff57c8b356

Raw Audit Messages
type=AVC msg=audit(1317207911.326:95): avc:  denied  { execute_no_trans } for  pid=2388 comm="chrome" path="/opt/google/chrome/nacl_helper_bootstrap" dev=dm-1 ino=2097218 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chrome_sandbox_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1317207911.326:95): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fa9814cb928 a1=7fa9814e0ea0 a2=7fffbc44c660 a3=7fffbc449860 items=0 ppid=1 pid=2388 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,chrome_sandbox_exec_t,file,execute_no_trans

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t chrome_sandbox_exec_t:file execute_no_trans;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t chrome_sandbox_exec_t:file execute_no_trans;

Comment 1 Daniel Walsh 2011-09-28 15:09:16 UTC
This looks like you changed the context to chrome_sandbox_exec_t, it should probably be bin_t.  Are there other executables in this directory?

chcon -t bin_t /opt/google/chrome/nacl_helper_bootstrap

Should fix the problem

Comment 2 Nicholas Cancelliere 2011-09-29 00:59:53 UTC
That did not fix it.  It seems odd that the SELinux error refers to "nacl_helper_boo" when the full name of the fill is "nacl_helper_bootstrap".

In any case the above suggestion did not work.  I started to get this error last night when a new Google Chrome Beta (v15) was pushed out/updated.  I removed and installed the unstable version of Google Chrome (v16) and it still happens.

After following the suggested comment in the SELinux troubleshooting tool it's working now without the annoying error.  I'm not sure why it started in the first place though; is it a Chrome bug or a SELinux bug?

-----
SELinux is preventing nacl_helper_boo from mmap_zero access on the memprotect Unknown.

Plugin: catchall 
you want to allow nacl_helper_boo to have mmap_zero access on the Unknown
memprotectIf you believe that nacl_helper_boo should be allowed mmap_zero access on the Unknown memprotect by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep nacl_helper_boo /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 3 Daniel Walsh 2011-09-29 14:23:35 UTC
Well it did fix it, in order to get it to move further down the food chain.  We will not allow mmap_zero since this is a very dangerous access.  You will need to take this up with the chrome people.

http://eparis.livejournal.com/

Explains a little bit of the problem with mmap_zero.  this is something chrome should definitely not need especially within a sandboxed application.

If you want SELinux to just stop blocking chrome execution, you can execute

setsebool -P unconfined_chrome_sandbox_transition 0

Which will just allow chrome sandbox to run without SELinux confinement.

You never answered my questions about binaries in that directory?

Oh the shortened name actually comes from the kernel, that is the name the kernel told us, I think the kernel has a max length that it will report in an AVC.

Comment 4 Roland McGrath 2011-10-08 22:56:07 UTC
See https://bugzilla.redhat.com/show_bug.cgi?id=743325#c2

As to the question about /opt/google/chrome/, these executable files reside there:

/opt/google/chrome/chrome
/opt/google/chrome/chrome-sandbox
/opt/google/chrome/nacl_helper_bootstrap
/opt/google/chrome/google-chrome
/opt/google/chrome/xdg-mime
/opt/google/chrome/xdg-settings

The latter three are shell scripts, the former three are binaries.
(I omitted /opt/google/chrome/nacl_helper, which is a PIE and has its execute bit set, but is not actually directly executed, it's loaded by nacl_helper_bootstrap--so it is effectively treated as a DSO from the kernel perspective.)

Comment 5 Daniel Walsh 2011-10-11 18:14:55 UTC
Labeled all files in this directory as bin_t, turned on chrome-sandbox transition by default and dontaudit mmap_zero.

Fixed in selinux-policy-3.10.0-40.fc16

Comment 6 Fedora Update System 2011-11-16 16:18:20 UTC
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Comment 7 Fedora Update System 2011-11-17 23:36:40 UTC
Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2011-12-04 02:36:36 UTC
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.