Bug 823106 - SELinux is preventing chrome from executing /opt/google/chrome/nacl_helper_bootstrap.
Summary: SELinux is preventing chrome from executing /opt/google/chrome/nacl_helper_bo...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ec639da9857...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-19 06:47 UTC by Umesh Sharma
Modified: 2012-05-21 08:10 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-21 08:10:38 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Umesh Sharma 2012-05-19 06:47:18 UTC 
Summary:

SELinux is preventing chrome from executing
/opt/google/chrome/nacl_helper_bootstrap.

Detailed Description:

SELinux has denied the chrome from executing
/opt/google/chrome/nacl_helper_bootstrap. If chrome is supposed to be able to
execute /opt/google/chrome/nacl_helper_bootstrap, this could be a labeling
problem. Most confined domains are allowed to execute files labeled bin_t. So
you could change the labeling on this file to bin_t and retry the application.
If this chrome is not supposed to execute
/opt/google/chrome/nacl_helper_bootstrap, this could signal an intrusion
attempt.

Allowing Access:

If you want to allow chrome to execute /opt/google/chrome/nacl_helper_bootstrap:
chcon -t bin_t '/opt/google/chrome/nacl_helper_bootstrap' If this fix works,
please update the file context on disk, with the following command: semanage
fcontext -a -t bin_t '/opt/google/chrome/nacl_helper_bootstrap' Please specify
the full path to the executable, Please file a bug report to make sure this
becomes the default labeling.

Additional Information:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /opt/google/chrome/nacl_helper_bootstrap [ file ]
Source                        chrome
Source Path                   chrome
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           google-chrome-stable-18.0.1025.168-134367
Policy RPM                    selinux-policy-3.6.32-127.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.26-175.fc12.x86_64 #1 SMP Wed Dec 1
                              21:39:34 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 11 May 2012 10:00:15 AM IST
Last Seen                     Fri 11 May 2012 10:00:15 AM IST
Local ID                      307cf91b-50a0-4c1d-b94d-df4d9cbf386b
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1336710615.297:15): avc:  denied  { execute_no_trans } for  pid=2419 comm="chrome" path="/opt/google/chrome/nacl_helper_bootstrap" dev=dm-0 ino=658461 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file



Hash String generated from  execute,chrome,chrome_sandbox_t,usr_t,file,execute_no_trans
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t usr_t:file execute_no_trans;
Comment 1 Miroslav Grepl 2012-05-21 08:10:38 UTC 
F12 is no longer supported. Please use a newer version of Fedora.
Note You need to log in before you can comment on or make changes to this bug.