Re: selinux Digest, Vol 91, Issue 15

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



With my Fedora 15 64bit this problem doesn't never appear; with other Fedora system seems present.

$ ls -Z /opt/google/chrome/chrome
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /opt/google/chrome/chrome
$ ls -Z /opt/google/chrome/chrome-sandbox
-rwsr-xr-x. root root system_u:object_r:chrome_sandbox_exec_t:s0 /opt/google/chrome/chrome-sandbox
$ getsebool -a | grep chrome
$ getsebool -a | grep exe
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> off
allow_guest_exec_content --> off
allow_java_execstack --> off
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_user_exec_content --> on
allow_xguest_exec_content --> on
allow_xserver_execmem --> off
dhcpc_exec_iptables --> off
httpd_execmem --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
xdm_exec_bootloader --> off

If i change execmem boolean to off, selinux reports an AVC message (in attachment).
I do not understand ...

2011/9/25 <selinux-request@xxxxxxxxxxxxxxxxxxxxxxx>
Send selinux mailing list submissions to
       selinux@xxxxxxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
       https://admin.fedoraproject.org/mailman/listinfo/selinux
or, via email, send a message with subject or body 'help' to
       selinux-request@xxxxxxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
       selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."


Today's Topics:

  1. execmod access to '/opt/google/chrome/chrome' file
     (Antonio Trande)
  2. Re: execmod access to '/opt/google/chrome/chrome' file
     (Dominick Grift)
  3. Re: execmod access to '/opt/google/chrome/chrome' file
     (Trevor Hemsley)
  4. httpd_sys_content_rw_t (Vadym Chepkov)
  5. Re: httpd_sys_content_rw_t (Vadym Chepkov)
  6. Re: List of avc for fedora 16 (David Highley)
  7. Re: List of avc for fedora 16 (Dominick Grift)
  8. Re: httpd_sys_content_rw_t (Dominick Grift)


----------------------------------------------------------------------

Message: 1
Date: Sat, 24 Sep 2011 16:06:31 +0200
From: Antonio Trande <anto.trande@xxxxxxxxx>
Subject: execmod access to '/opt/google/chrome/chrome' file
To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Message-ID:
       <CAATtwDXHkAbZAGgLkU7j7OY7HeLvx+5EnrniTEfOF2Q=eJ5qwA@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

This problem is appeared with chrome executable:

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
/opt/google/chrome/chrome.

setroubleshoot suggests to change the label on
'/opt/google/chrome/chrome' how textrel_shlib_t type or to allow
chrome to have execmod access on the chrome file.
But does not happen always (never to me).

Could you give more infos about this behavior ?

Thanks.



--
*Antonio Trande
"Fedora Ambassador"

**mail*: mailto:sagitter@xxxxxxxxxxxxxxxxx <sagitter@xxxxxxxxxxxxxxxxx>
*Homepage*: http://www.fedora-os.org
*Sip Address* : sip:sagitter AT ekiga.net
*Jabber <http://jabber.org/>* :sagitter AT jabber.org
*GPG Key: CFE3479C*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/de723eec/attachment-0001.html

------------------------------

Message: 2
Date: Sat, 24 Sep 2011 16:23:29 +0200
From: Dominick Grift <dominick.grift@xxxxxxxxx>
Subject: Re: execmod access to '/opt/google/chrome/chrome' file
To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <1316874209.9488.13.camel@x220.mydomain.internal>
Content-Type: text/plain; charset="utf-8"

On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
> This problem is appeared with chrome executable:
>
> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
> /opt/google/chrome/chrome.
>
> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.
> But does not happen always (never to me).
>
>
> Could you give more infos about this behavior ?

I can tell you that this is bad behaviour by chrome. I can tell you that
this issue is known but that this issue is obviously not fixed yet.

SElinux protects the system from chrome currently. SElinux is blocking
chrome trying to do bad things.

One could argue that SElinux should not try and protect users by default
(unconfined users) butthat is currently not the case.

there is , i believe, a way to stop selinux trying to protect you from
chromes evil ways.

youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or
"chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively
depending on where it is located.

Additionally one may be required to toggle the allow_execmem and
allow_execmod booleans to true.

Doing this will leave your system wide open to browser and browser
plugin attacks.

To undo this simply
restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox
and toggle the allow_execmem and allow_execmod booleans to their
previous state.

You can also use the mozilla browser, unlike chrome this browser does
not try to hijack your system (at least not yet)

> Thanks.
>
>
> --
> Antonio Trande
> "Fedora Ambassador"
>
> mail: mailto:sagitter@xxxxxxxxxxxxxxxxx
> Homepage: http://www.fedora-os.org
> Sip Address : sip:sagitter AT ekiga.net
> Jabber :sagitter AT jabber.org
> GPG Key: CFE3479C
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/5feb3108/attachment-0001.bin

------------------------------

Message: 3
Date: Sat, 24 Sep 2011 15:32:36 +0100
From: Trevor Hemsley <trevor.hemsley@xxxxxxxxxxxx>
Subject: Re: execmod access to '/opt/google/chrome/chrome' file
Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <4E7DEA04.3050806@xxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dominick Grift wrote:
> On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:
>
>> This problem is appeared with chrome executable:
>>
>> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file
>> /opt/google/chrome/chrome.
>>
>> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.
>> But does not happen always (never to me).
>>
>>
>> Could you give more infos about this behavior ?
>>
>
> I can tell you that this is bad behaviour by chrome. I can tell you that
> this issue is known but that this issue is obviously not fixed yet.
>
http://code.google.com/p/chromium/issues/detail?id=87704 is the bug
report about it for Chrome.

Attachment: firefox-selinux
Description: Binary data

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux