With my Fedora 15 64bit this problem doesn't never appear; with other Fedora system seems present.<br><br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
$ ls -Z /opt/google/chrome/chrome<br>-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /opt/google/chrome/chrome<br>$ ls -Z /opt/google/chrome/chrome-sandbox<br>-rwsr-xr-x. root root system_u:object_r:chrome_sandbox_exec_t:s0 /opt/google/chrome/chrome-sandbox<br>
$ getsebool -a | grep chrome<br>$ getsebool -a | grep exe<br>allow_execheap --> off<br>allow_execmem --> on<br>allow_execmod --> off<br>allow_execstack --> off<br>allow_guest_exec_content --> off<br>allow_java_execstack --> off<br>
allow_mplayer_execstack --> off<br>allow_nsplugin_execmem --> on<br>allow_staff_exec_content --> on<br>allow_sysadm_exec_content --> on<br>allow_user_exec_content --> on<br>allow_xguest_exec_content --> on<br>
allow_xserver_execmem --> off<br>dhcpc_exec_iptables --> off<br>httpd_execmem --> off<br>httpd_ssi_exec --> off<br>httpd_tmp_exec --> off<br>xdm_exec_bootloader --> off<br></blockquote><br>If i change execmem boolean to off, selinux reports an AVC message (in attachment).<br>
I do not understand ...<br><br><div class="gmail_quote">2011/9/25 <span dir="ltr"><<a href="mailto:selinux-request@lists.fedoraproject.org">selinux-request@lists.fedoraproject.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Send selinux mailing list submissions to<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:selinux-request@lists.fedoraproject.org">selinux-request@lists.fedoraproject.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:selinux-owner@lists.fedoraproject.org">selinux-owner@lists.fedoraproject.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of selinux digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. execmod access to '/opt/google/chrome/chrome' file<br>
(Antonio Trande)<br>
2. Re: execmod access to '/opt/google/chrome/chrome' file<br>
(Dominick Grift)<br>
3. Re: execmod access to '/opt/google/chrome/chrome' file<br>
(Trevor Hemsley)<br>
4. httpd_sys_content_rw_t (Vadym Chepkov)<br>
5. Re: httpd_sys_content_rw_t (Vadym Chepkov)<br>
6. Re: List of avc for fedora 16 (David Highley)<br>
7. Re: List of avc for fedora 16 (Dominick Grift)<br>
8. Re: httpd_sys_content_rw_t (Dominick Grift)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sat, 24 Sep 2011 16:06:31 +0200<br>
From: Antonio Trande <<a href="mailto:anto.trande@gmail.com">anto.trande@gmail.com</a>><br>
Subject: execmod access to '/opt/google/chrome/chrome' file<br>
To: <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
Message-ID:<br>
<CAATtwDXHkAbZAGgLkU7j7OY7HeLvx+5EnrniTEfOF2Q=<a href="mailto:eJ5qwA@mail.gmail.com">eJ5qwA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
This problem is appeared with chrome executable:<br>
<br>
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file<br>
/opt/google/chrome/chrome.<br>
<br>
setroubleshoot suggests to change the label on<br>
'/opt/google/chrome/chrome' how textrel_shlib_t type or to allow<br>
chrome to have execmod access on the chrome file.<br>
But does not happen always (never to me).<br>
<br>
Could you give more infos about this behavior ?<br>
<br>
Thanks.<br>
<br>
<br>
<br>
--<br>
*Antonio Trande<br>
"Fedora Ambassador"<br>
<br>
**mail*: mailto:<a href="mailto:sagitter@fedoraproject.org">sagitter@fedoraproject.org</a> <<a href="mailto:sagitter@fedoraproject.org">sagitter@fedoraproject.org</a>><br>
*Homepage*: <a href="http://www.fedora-os.org" target="_blank">http://www.fedora-os.org</a><br>
*Sip Address* : sip:sagitter AT <a href="http://ekiga.net" target="_blank">ekiga.net</a><br>
*Jabber <<a href="http://jabber.org/" target="_blank">http://jabber.org/</a>>* :sagitter AT <a href="http://jabber.org" target="_blank">jabber.org</a><br>
*GPG Key: CFE3479C*<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/de723eec/attachment-0001.html" target="_blank">http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/de723eec/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sat, 24 Sep 2011 16:23:29 +0200<br>
From: Dominick Grift <<a href="mailto:dominick.grift@gmail.com">dominick.grift@gmail.com</a>><br>
Subject: Re: execmod access to '/opt/google/chrome/chrome' file<br>
To: <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
Message-ID: <1316874209.9488.13.camel@x220.mydomain.internal><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:<br>
> This problem is appeared with chrome executable:<br>
><br>
> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file<br>
> /opt/google/chrome/chrome.<br>
><br>
> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.<br>
> But does not happen always (never to me).<br>
><br>
><br>
> Could you give more infos about this behavior ?<br>
<br>
I can tell you that this is bad behaviour by chrome. I can tell you that<br>
this issue is known but that this issue is obviously not fixed yet.<br>
<br>
SElinux protects the system from chrome currently. SElinux is blocking<br>
chrome trying to do bad things.<br>
<br>
One could argue that SElinux should not try and protect users by default<br>
(unconfined users) butthat is currently not the case.<br>
<br>
there is , i believe, a way to stop selinux trying to protect you from<br>
chromes evil ways.<br>
<br>
youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or<br>
"chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively<br>
depending on where it is located.<br>
<br>
Additionally one may be required to toggle the allow_execmem and<br>
allow_execmod booleans to true.<br>
<br>
Doing this will leave your system wide open to browser and browser<br>
plugin attacks.<br>
<br>
To undo this simply<br>
restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox<br>
and toggle the allow_execmem and allow_execmod booleans to their<br>
previous state.<br>
<br>
You can also use the mozilla browser, unlike chrome this browser does<br>
not try to hijack your system (at least not yet)<br>
<br>
> Thanks.<br>
><br>
><br>
> --<br>
> Antonio Trande<br>
> "Fedora Ambassador"<br>
><br>
> mail: mailto:<a href="mailto:sagitter@fedoraproject.org">sagitter@fedoraproject.org</a><br>
> Homepage: <a href="http://www.fedora-os.org" target="_blank">http://www.fedora-os.org</a><br>
> Sip Address : sip:sagitter AT <a href="http://ekiga.net" target="_blank">ekiga.net</a><br>
> Jabber :sagitter AT <a href="http://jabber.org" target="_blank">jabber.org</a><br>
> GPG Key: CFE3479C<br>
><br>
> --<br>
> selinux mailing list<br>
> <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: not available<br>
Type: application/pgp-signature<br>
Size: 836 bytes<br>
Desc: This is a digitally signed message part<br>
Url : <a href="http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/5feb3108/attachment-0001.bin" target="_blank">http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/5feb3108/attachment-0001.bin</a><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Sat, 24 Sep 2011 15:32:36 +0100<br>
From: Trevor Hemsley <<a href="mailto:trevor.hemsley@ntlworld.com">trevor.hemsley@ntlworld.com</a>><br>
Subject: Re: execmod access to '/opt/google/chrome/chrome' file<br>
Cc: <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
Message-ID: <<a href="mailto:4E7DEA04.3050806@ntlworld.com">4E7DEA04.3050806@ntlworld.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Dominick Grift wrote:<br>
> On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:<br>
><br>
>> This problem is appeared with chrome executable:<br>
>><br>
>> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file<br>
>> /opt/google/chrome/chrome.<br>
>><br>
>> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.<br>
>> But does not happen always (never to me).<br>
>><br>
>><br>
>> Could you give more infos about this behavior ?<br>
>><br>
><br>
> I can tell you that this is bad behaviour by chrome. I can tell you that<br>
> this issue is known but that this issue is obviously not fixed yet.<br>
><br>
<a href="http://code.google.com/p/chromium/issues/detail?id=87704" target="_blank">http://code.google.com/p/chromium/issues/detail?id=87704</a> is the bug<br>
report about it for Chrome.<br>
</blockquote></div>