execmod access to '/opt/google/chrome/chrome' file
Dominick Grift
dominick.grift at gmail.com
Sat Sep 24 14:23:29 UTC 2011
On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
> This problem is appeared with chrome executable:
>
> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
> /opt/google/chrome/chrome.
>
> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.
> But does not happen always (never to me).
>
>
> Could you give more infos about this behavior ?
I can tell you that this is bad behaviour by chrome. I can tell you that
this issue is known but that this issue is obviously not fixed yet.
SElinux protects the system from chrome currently. SElinux is blocking
chrome trying to do bad things.
One could argue that SElinux should not try and protect users by default
(unconfined users) butthat is currently not the case.
there is , i believe, a way to stop selinux trying to protect you from
chromes evil ways.
youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or
"chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively
depending on where it is located.
Additionally one may be required to toggle the allow_execmem and
allow_execmod booleans to true.
Doing this will leave your system wide open to browser and browser
plugin attacks.
To undo this simply
restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox
and toggle the allow_execmem and allow_execmod booleans to their
previous state.
You can also use the mozilla browser, unlike chrome this browser does
not try to hijack your system (at least not yet)
> Thanks.
>
>
> --
> Antonio Trande
> "Fedora Ambassador"
>
> mail: mailto:sagitter at fedoraproject.org
> Homepage: http://www.fedora-os.org
> Sip Address : sip:sagitter AT ekiga.net
> Jabber :sagitter AT jabber.org
> GPG Key: CFE3479C
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/5feb3108/attachment.bin
More information about the selinux
mailing list