selinux Digest, Vol 91, Issue 15
Antonio Trande
anto.trande at gmail.com
Sun Sep 25 15:44:50 UTC 2011
With my Fedora 15 64bit this problem doesn't never appear; with other Fedora
system seems present.
$ ls -Z /opt/google/chrome/chrome
> -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0
> /opt/google/chrome/chrome
> $ ls -Z /opt/google/chrome/chrome-sandbox
> -rwsr-xr-x. root root system_u:object_r:chrome_sandbox_exec_t:s0
> /opt/google/chrome/chrome-sandbox
> $ getsebool -a | grep chrome
> $ getsebool -a | grep exe
> allow_execheap --> off
> allow_execmem --> on
> allow_execmod --> off
> allow_execstack --> off
> allow_guest_exec_content --> off
> allow_java_execstack --> off
> allow_mplayer_execstack --> off
> allow_nsplugin_execmem --> on
> allow_staff_exec_content --> on
> allow_sysadm_exec_content --> on
> allow_user_exec_content --> on
> allow_xguest_exec_content --> on
> allow_xserver_execmem --> off
> dhcpc_exec_iptables --> off
> httpd_execmem --> off
> httpd_ssi_exec --> off
> httpd_tmp_exec --> off
> xdm_exec_bootloader --> off
>
If i change execmem boolean to off, selinux reports an AVC message (in
attachment).
I do not understand ...
2011/9/25 <selinux-request at lists.fedoraproject.org>
> Send selinux mailing list submissions to
> selinux at lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> selinux-request at lists.fedoraproject.org
>
> You can reach the person managing the list at
> selinux-owner at lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
>
>
> Today's Topics:
>
> 1. execmod access to '/opt/google/chrome/chrome' file
> (Antonio Trande)
> 2. Re: execmod access to '/opt/google/chrome/chrome' file
> (Dominick Grift)
> 3. Re: execmod access to '/opt/google/chrome/chrome' file
> (Trevor Hemsley)
> 4. httpd_sys_content_rw_t (Vadym Chepkov)
> 5. Re: httpd_sys_content_rw_t (Vadym Chepkov)
> 6. Re: List of avc for fedora 16 (David Highley)
> 7. Re: List of avc for fedora 16 (Dominick Grift)
> 8. Re: httpd_sys_content_rw_t (Dominick Grift)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 24 Sep 2011 16:06:31 +0200
> From: Antonio Trande <anto.trande at gmail.com>
> Subject: execmod access to '/opt/google/chrome/chrome' file
> To: selinux at lists.fedoraproject.org
> Message-ID:
> <CAATtwDXHkAbZAGgLkU7j7OY7HeLvx+5EnrniTEfOF2Q=eJ5qwA at mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> This problem is appeared with chrome executable:
>
> SELinux is preventing /opt/google/chrome/chrome from execmod access on the
> file
> /opt/google/chrome/chrome.
>
> setroubleshoot suggests to change the label on
> '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow
> chrome to have execmod access on the chrome file.
> But does not happen always (never to me).
>
> Could you give more infos about this behavior ?
>
> Thanks.
>
>
>
> --
> *Antonio Trande
> "Fedora Ambassador"
>
> **mail*: mailto:sagitter at fedoraproject.org <sagitter at fedoraproject.org>
> *Homepage*: http://www.fedora-os.org
> *Sip Address* : sip:sagitter AT ekiga.net
> *Jabber <http://jabber.org/>* :sagitter AT jabber.org
> *GPG Key: CFE3479C*
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/de723eec/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Sat, 24 Sep 2011 16:23:29 +0200
> From: Dominick Grift <dominick.grift at gmail.com>
> Subject: Re: execmod access to '/opt/google/chrome/chrome' file
> To: selinux at lists.fedoraproject.org
> Message-ID: <1316874209.9488.13.camel at x220.mydomain.internal>
> Content-Type: text/plain; charset="utf-8"
>
> On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
> > This problem is appeared with chrome executable:
> >
> > SELinux is preventing /opt/google/chrome/chrome from execmod access on
> the file
> > /opt/google/chrome/chrome.
> >
> > setroubleshoot suggests to change the label on
> '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to
> have execmod access on the chrome file.
> > But does not happen always (never to me).
> >
> >
> > Could you give more infos about this behavior ?
>
> I can tell you that this is bad behaviour by chrome. I can tell you that
> this issue is known but that this issue is obviously not fixed yet.
>
> SElinux protects the system from chrome currently. SElinux is blocking
> chrome trying to do bad things.
>
> One could argue that SElinux should not try and protect users by default
> (unconfined users) butthat is currently not the case.
>
> there is , i believe, a way to stop selinux trying to protect you from
> chromes evil ways.
>
> youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or
> "chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively
> depending on where it is located.
>
> Additionally one may be required to toggle the allow_execmem and
> allow_execmod booleans to true.
>
> Doing this will leave your system wide open to browser and browser
> plugin attacks.
>
> To undo this simply
> restorecon /opt/google/chrome/chrome-sandbox
> /usr/lib/chromium-browser/chrome-sandbox
> and toggle the allow_execmem and allow_execmod booleans to their
> previous state.
>
> You can also use the mozilla browser, unlike chrome this browser does
> not try to hijack your system (at least not yet)
>
> > Thanks.
> >
> >
> > --
> > Antonio Trande
> > "Fedora Ambassador"
> >
> > mail: mailto:sagitter at fedoraproject.org
> > Homepage: http://www.fedora-os.org
> > Sip Address : sip:sagitter AT ekiga.net
> > Jabber :sagitter AT jabber.org
> > GPG Key: CFE3479C
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 836 bytes
> Desc: This is a digitally signed message part
> Url :
> http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/5feb3108/attachment-0001.bin
>
> ------------------------------
>
> Message: 3
> Date: Sat, 24 Sep 2011 15:32:36 +0100
> From: Trevor Hemsley <trevor.hemsley at ntlworld.com>
> Subject: Re: execmod access to '/opt/google/chrome/chrome' file
> Cc: selinux at lists.fedoraproject.org
> Message-ID: <4E7DEA04.3050806 at ntlworld.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Dominick Grift wrote:
> > On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
> >
> >> This problem is appeared with chrome executable:
> >>
> >> SELinux is preventing /opt/google/chrome/chrome from execmod access on
> the file
> >> /opt/google/chrome/chrome.
> >>
> >> setroubleshoot suggests to change the label on
> '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to
> have execmod access on the chrome file.
> >> But does not happen always (never to me).
> >>
> >>
> >> Could you give more infos about this behavior ?
> >>
> >
> > I can tell you that this is bad behaviour by chrome. I can tell you that
> > this issue is known but that this issue is obviously not fixed yet.
> >
> http://code.google.com/p/chromium/issues/detail?id=87704 is the bug
> report about it for Chrome.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110925/a6f67566/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firefox-selinux
Type: application/octet-stream
Size: 3563 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110925/a6f67566/attachment.obj
More information about the selinux
mailing list