Hide Forgot
SELinux is preventing /opt/google/chrome/chrome from 'execmod' accesses on the file /opt/google/chrome/libffmpegsumo.so. ***** Plugin allow_execmod (91.4 confidence) suggests ********************** If you want to allow chrome to have execmod access on the libffmpegsumo.so file Then you need to change the label on '/opt/google/chrome/libffmpegsumo.so' Do # semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/libffmpegsumo.so' # restorecon -v '/opt/google/chrome/libffmpegsumo.so' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that chrome should be allowed execmod access on the libffmpegsumo.so file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /opt/google/chrome/libffmpegsumo.so [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-stable-15.0.874.106-107270 Target RPM Packages google-chrome-stable-15.0.874.106-107270 Policy RPM selinux-policy-3.9.16-44.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.6-0.fc15.i686 #1 SMP Tue Oct 4 00:51:19 UTC 2011 i686 i686 Alert Count 1 First Seen Fri 28 Oct 2011 02:01:11 AM WIT Last Seen Fri 28 Oct 2011 02:01:11 AM WIT Local ID a3af249b-ba50-4c2c-8433-372413e9d335 Raw Audit Messages type=AVC msg=audit(1319742071.199:91): avc: denied { execmod } for pid=3537 comm="chrome" path="/opt/google/chrome/libffmpegsumo.so" dev=sda1 ino=407771 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1319742071.199:91): arch=i386 syscall=mprotect success=no exit=EACCES a0=167e4000 a1=22c000 a2=5 a3=bfaef160 items=0 ppid=0 pid=3537 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,bin_t,file,execmod audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t bin_t:file execmod; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t bin_t:file execmod;
Miroslav, we need to back port all of the changes made in Rawhide hide/F16 into F15 and RHEL6.
Fixed in selinux-policy-3.9.16-46.fc15
Not working in FC16 RC5.
I see this on F16 with selinux-policy-3.10.0-51.fc16.
What does # matchpathcon /opt/google/chrome/libffmpegsumo.so # ls -Z /opt/google/chrome/libffmpegsumo.so Also try to install the latest policy build from koji.
I have messed with sepolicy a bit (as suggested by the setroubleshooter), but anyways: /opt/google/chrome/libffmpegsumo.so system_u:object_r:textrel_shlib_t:s0 -rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 /opt/google/chrome/libffmpegsumo.so Also, I'm not currently getting the report (could have been the actions I took)
Well that is the right label and should have fixed the problem.
OK, have another RC5 system on test (64bit) so will also check on that, as don't think I messed with it. I think it just got a sepolicy update through yum though... will let you know.
(In reply to comment #5) > What does > # matchpathcon /opt/google/chrome/libffmpegsumo.so > # ls -Z /opt/google/chrome/libffmpegsumo.so $ rpm -q selinux-policy selinux-policy-3.10.0-51.fc16.noarch $ matchpathcon /opt/google/chrome/libffmpegsumo.so /opt/google/chrome/libffmpegsumo.so system_u:object_r:bin_t:s0 $ ls -Z /opt/google/chrome/libffmpegsumo.so -rw-r--r--. root root system_u:object_r:bin_t:s0 /opt/google/chrome/libffmpegsumo.so > Also try to install the latest policy build from koji. Ok: $ rpm -q selinux-policy selinux-policy-3.10.0-55.fc16.noarch $ matchpathcon /opt/google/chrome/libffmpegsumo.so /opt/google/chrome/libffmpegsumo.so system_u:object_r:textrel_shlib_t:s0 $ ls -Z /opt/google/chrome/libffmpegsumo.so -rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 /opt/google/chrome/libffmpegsumo.so Ok, thanks, that seems to fix the problem for me. Dunno if this was an install order issue? I guess I installed chrome after selinux-policy-3.10.0-51.fc16, or maybe the latest changes in -55.fc16 helped.
just chiming in that my Fedora 16 fully up to date exhibits this issue.
Run restorecon on /opt. restorecon -R -v /opt
(In reply to comment #11) > Run restorecon on /opt. restorecon -R -v /opt On Fedora 15 this doesn't help.
(In reply to comment #11) > Run restorecon on /opt. restorecon -R -v /opt Thanks. I see from the man page that you wrote restorecon and I ran it on my Fedora 16 i.e. sudo restorecon -R -v /opt and now the complaint no longer shows on chrome launch which now also is much quicker.
selinux-policy-3.9.16-46.fc15.src.rpm has these fixes for F15.
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.