FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-24-2011, 02:06 PM
Antonio Trande
 
Default execmod access to '/opt/google/chrome/chrome' file

This problem is appeared with chrome executable:

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
/opt/google/chrome/chrome.

setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.
But does not happen always (never to me).


Could you give more infos about this behavior ?

Thanks.

--
Antonio Trande
"Fedora Ambassador"

mail: mailto:sagitter@fedoraproject.org
Homepage: http://www.fedora-os.org
Sip Address
: sip:sagitter AT ekiga.netJabber
:sagitter AT jabber.orgGPG Key: CFE3479C



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-24-2011, 02:23 PM
Dominick Grift
 
Default execmod access to '/opt/google/chrome/chrome' file

On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
> This problem is appeared with chrome executable:
>
> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
> /opt/google/chrome/chrome.
>
> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.
> But does not happen always (never to me).
>
>
> Could you give more infos about this behavior ?

I can tell you that this is bad behaviour by chrome. I can tell you that
this issue is known but that this issue is obviously not fixed yet.

SElinux protects the system from chrome currently. SElinux is blocking
chrome trying to do bad things.

One could argue that SElinux should not try and protect users by default
(unconfined users) butthat is currently not the case.

there is , i believe, a way to stop selinux trying to protect you from
chromes evil ways.

youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or
"chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively
depending on where it is located.

Additionally one may be required to toggle the allow_execmem and
allow_execmod booleans to true.

Doing this will leave your system wide open to browser and browser
plugin attacks.

To undo this simply
restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox
and toggle the allow_execmem and allow_execmod booleans to their
previous state.

You can also use the mozilla browser, unlike chrome this browser does
not try to hijack your system (at least not yet)

> Thanks.
>
>
> --
> Antonio Trande
> "Fedora Ambassador"
>
> mail: mailto:sagitter@fedoraproject.org
> Homepage: http://www.fedora-os.org
> Sip Address : sip:sagitter AT ekiga.net
> Jabber :sagitter AT jabber.org
> GPG Key: CFE3479C
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-24-2011, 02:32 PM
Trevor Hemsley
 
Default execmod access to '/opt/google/chrome/chrome' file

Dominick Grift wrote:
> On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
>
>> This problem is appeared with chrome executable:
>>
>> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
>> /opt/google/chrome/chrome.
>>
>> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.
>> But does not happen always (never to me).
>>
>>
>> Could you give more infos about this behavior ?
>>
>
> I can tell you that this is bad behaviour by chrome. I can tell you that
> this issue is known but that this issue is obviously not fixed yet.
>
http://code.google.com/p/chromium/issues/detail?id=87704 is the bug
report about it for Chrome.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org