FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-25-2011, 03:44 PM
Antonio Trande
 
Default selinux Digest, Vol 91, Issue 15

With my Fedora 15 64bit this problem doesn't never appear; with other Fedora system seems present.


$ ls -Z /opt/google/chrome/chrome
-rwxr-xr-x. root root system_ubject_r:execmem_exec_t:s0 /opt/google/chrome/chrome
$ ls -Z /opt/google/chrome/chrome-sandbox
-rwsr-xr-x. root root system_ubject_r:chrome_sandbox_exec_t:s0 /opt/google/chrome/chrome-sandbox

$ getsebool -a | grep chrome
$ getsebool -a | grep exe
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> off
allow_guest_exec_content --> off
allow_java_execstack --> off

allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_user_exec_content --> on
allow_xguest_exec_content --> on

allow_xserver_execmem --> off
dhcpc_exec_iptables --> off
httpd_execmem --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
xdm_exec_bootloader --> off

If i change execmem boolean to off, selinux reports an AVC message (in attachment).

I do not understand ...

2011/9/25 <selinux-request@lists.fedoraproject.org>

Send selinux mailing list submissions to

* * * *selinux@lists.fedoraproject.org



To subscribe or unsubscribe via the World Wide Web, visit

* * * *https://admin.fedoraproject.org/mailman/listinfo/selinux

or, via email, send a message with subject or body 'help' to

* * * *selinux-request@lists.fedoraproject.org



You can reach the person managing the list at

* * * *selinux-owner@lists.fedoraproject.org



When replying, please edit your Subject line so it is more specific

than "Re: Contents of selinux digest..."





Today's Topics:



* 1. execmod access to '/opt/google/chrome/chrome' file

* * *(Antonio Trande)

* 2. Re: execmod access to '/opt/google/chrome/chrome' file

* * *(Dominick Grift)

* 3. Re: execmod access to '/opt/google/chrome/chrome' file

* * *(Trevor Hemsley)

* 4. httpd_sys_content_rw_t (Vadym Chepkov)

* 5. Re: httpd_sys_content_rw_t (Vadym Chepkov)

* 6. Re: List of avc for fedora 16 (David Highley)

* 7. Re: List of avc for fedora 16 (Dominick Grift)

* 8. Re: httpd_sys_content_rw_t (Dominick Grift)





----------------------------------------------------------------------



Message: 1

Date: Sat, 24 Sep 2011 16:06:31 +0200

From: Antonio Trande <anto.trande@gmail.com>

Subject: execmod access to '/opt/google/chrome/chrome' file

To: selinux@lists.fedoraproject.org

Message-ID:

* * * *<CAATtwDXHkAbZAGgLkU7j7OY7HeLvx+5EnrniTEfOF2Q=eJ5 qwA@mail.gmail.com>

Content-Type: text/plain; charset="iso-8859-1"



This problem is appeared with chrome executable:



SELinux is preventing /opt/google/chrome/chrome from execmod access on the file

/opt/google/chrome/chrome.



setroubleshoot suggests to change the label on

'/opt/google/chrome/chrome' how textrel_shlib_t type or to allow

chrome to have execmod access on the chrome file.

But does not happen always (never to me).



Could you give more infos about this behavior ?



Thanks.







--

*Antonio Trande

"Fedora Ambassador"



**mail*: mailto:sagitter@fedoraproject.org <sagitter@fedoraproject.org>

*Homepage*: http://www.fedora-os.org

*Sip Address* : sip:sagitter AT ekiga.net

*Jabber <http://jabber.org/>* :sagitter AT jabber.org

*GPG Key: CFE3479C*

-------------- next part --------------

An HTML attachment was scrubbed...

URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/de723eec/attachment-0001.html




------------------------------



Message: 2

Date: Sat, 24 Sep 2011 16:23:29 +0200

From: Dominick Grift <dominick.grift@gmail.com>

Subject: Re: execmod access to '/opt/google/chrome/chrome' file

To: selinux@lists.fedoraproject.org

Message-ID: <1316874209.9488.13.camel@x220.mydomain.internal >

Content-Type: text/plain; charset="utf-8"



On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:

> This problem is appeared with chrome executable:

>

> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file

> /opt/google/chrome/chrome.

>

> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.

> But does not happen always (never to me).

>

>

> Could you give more infos about this behavior ?



I can tell you that this is bad behaviour by chrome. I can tell you that

this issue is known but that this issue is obviously not fixed yet.



SElinux protects the system from chrome currently. SElinux is blocking

chrome trying to do bad things.



One could argue that SElinux should not try and protect users by default

(unconfined users) butthat is currently not the case.



there is , i believe, a way to stop selinux trying to protect you from

chromes evil ways.



youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or

"chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively

depending on where it is located.



Additionally one may be required to toggle the allow_execmem and

allow_execmod booleans to true.



Doing this will leave your system wide open to browser and browser

plugin attacks.



To undo this simply

restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox

and toggle the allow_execmem and allow_execmod booleans to their

previous state.



You can also use the mozilla browser, unlike chrome this browser does

not try to hijack your system (at least not yet)



> Thanks.

>

>

> --

> Antonio Trande

> "Fedora Ambassador"

>

> mail: mailto:sagitter@fedoraproject.org

> Homepage: http://www.fedora-os.org

> Sip Address : sip:sagitter AT ekiga.net

> Jabber :sagitter AT jabber.org

> GPG Key: CFE3479C

>

> --

> selinux mailing list

> selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux



-------------- next part --------------

A non-text attachment was scrubbed...

Name: not available

Type: application/pgp-signature

Size: 836 bytes

Desc: This is a digitally signed message part

Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/5feb3108/attachment-0001.bin




------------------------------



Message: 3

Date: Sat, 24 Sep 2011 15:32:36 +0100

From: Trevor Hemsley <trevor.hemsley@ntlworld.com>

Subject: Re: execmod access to '/opt/google/chrome/chrome' file

Cc: selinux@lists.fedoraproject.org

Message-ID: <4E7DEA04.3050806@ntlworld.com>

Content-Type: text/plain; charset=ISO-8859-1; format=flowed



Dominick Grift wrote:

> On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:

>

>> This problem is appeared with chrome executable:

>>

>> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file

>> /opt/google/chrome/chrome.

>>

>> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.

>> But does not happen always (never to me).

>>

>>

>> Could you give more infos about this behavior ?

>>

>

> I can tell you that this is bad behaviour by chrome. I can tell you that

> this issue is known but that this issue is obviously not fixed yet.

>

http://code.google.com/p/chromium/issues/detail?id=87704 is the bug

report about it for Chrome.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org