On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote: > This problem is appeared with chrome executable: > > SELinux is preventing /opt/google/chrome/chrome from execmod access on the file > /opt/google/chrome/chrome. > > setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file. > But does not happen always (never to me). > > > Could you give more infos about this behavior ? I can tell you that this is bad behaviour by chrome. I can tell you that this issue is known but that this issue is obviously not fixed yet. SElinux protects the system from chrome currently. SElinux is blocking chrome trying to do bad things. One could argue that SElinux should not try and protect users by default (unconfined users) butthat is currently not the case. there is , i believe, a way to stop selinux trying to protect you from chromes evil ways. youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or "chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively depending on where it is located. Additionally one may be required to toggle the allow_execmem and allow_execmod booleans to true. Doing this will leave your system wide open to browser and browser plugin attacks. To undo this simply restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox and toggle the allow_execmem and allow_execmod booleans to their previous state. You can also use the mozilla browser, unlike chrome this browser does not try to hijack your system (at least not yet) > Thanks. > > > -- > Antonio Trande > "Fedora Ambassador" > > mail: mailto:sagitter@xxxxxxxxxxxxxxxxx > Homepage: http://www.fedora-os.org > Sip Address : sip:sagitter AT ekiga.net > Jabber :sagitter AT jabber.org > GPG Key: CFE3479C > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
