execmod access to '/opt/google/chrome/chrome' file
On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
> This problem is appeared with chrome executable:
> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.
> But does not happen always (never to me).
> Could you give more infos about this behavior ?
I can tell you that this is bad behaviour by chrome. I can tell you that
this issue is known but that this issue is obviously not fixed yet.
SElinux protects the system from chrome currently. SElinux is blocking
chrome trying to do bad things.
One could argue that SElinux should not try and protect users by default
(unconfined users) butthat is currently not the case.
there is , i believe, a way to stop selinux trying to protect you from
chromes evil ways.
youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or
"chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively
depending on where it is located.
Additionally one may be required to toggle the allow_execmem and
allow_execmod booleans to true.
Doing this will leave your system wide open to browser and browser
To undo this simply
restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox
and toggle the allow_execmem and allow_execmod booleans to their
You can also use the mozilla browser, unlike chrome this browser does
not try to hijack your system (at least not yet)
> Antonio Trande
> "Fedora Ambassador"
> mail: mailto:firstname.lastname@example.org
> Homepage: http://www.fedora-os.org
> Sip Address : sip:sagitter AT ekiga.net
> Jabber :sagitter AT jabber.org
> GPG Key: CFE3479C
> selinux mailing list
selinux mailing list