Re: selinux Digest, Vol 91, Issue 15

Antonio Trande <anto.trande@xxxxxxxxx> · Sun, 25 Sep 2011 17:44:50 +0200

With my Fedora 15 64bit this problem doesn't never appear; with other Fedora system seems present.

$ ls -Z /opt/google/chrome/chrome
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /opt/google/chrome/chrome
$ ls -Z /opt/google/chrome/chrome-sandbox
-rwsr-xr-x. root root system_u:object_r:chrome_sandbox_exec_t:s0 /opt/google/chrome/chrome-sandbox

$ getsebool -a | grep chrome
$ getsebool -a | grep exe
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> off
allow_guest_exec_content --> off
allow_java_execstack --> off

allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_user_exec_content --> on
allow_xguest_exec_content --> on

allow_xserver_execmem --> off
dhcpc_exec_iptables --> off
httpd_execmem --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
xdm_exec_bootloader --> off

If i change execmem boolean to off, selinux reports an AVC message (in attachment).

I do not understand ...

2011/9/25  <selinux-request@xxxxxxxxxxxxxxxxxxxxxxx>

Send selinux mailing list submissions to

        selinux@xxxxxxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit

        https://admin.fedoraproject.org/mailman/listinfo/selinux

or, via email, send a message with subject or body 'help' to

        selinux-request@xxxxxxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at

        selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific

than "Re: Contents of selinux digest..."

Today's Topics:

   1. execmod access to '/opt/google/chrome/chrome' file

      (Antonio Trande)

   2. Re: execmod access to '/opt/google/chrome/chrome' file

      (Dominick Grift)

   3. Re: execmod access to '/opt/google/chrome/chrome' file

      (Trevor Hemsley)

   4. httpd_sys_content_rw_t (Vadym Chepkov)

   5. Re: httpd_sys_content_rw_t (Vadym Chepkov)

   6. Re: List of avc for fedora 16 (David Highley)

   7. Re: List of avc for fedora 16 (Dominick Grift)

   8. Re: httpd_sys_content_rw_t (Dominick Grift)

----------------------------------------------------------------------

Message: 1

Date: Sat, 24 Sep 2011 16:06:31 +0200

From: Antonio Trande <anto.trande@xxxxxxxxx>

Subject: execmod access to '/opt/google/chrome/chrome' file

To: selinux@xxxxxxxxxxxxxxxxxxxxxxx

Message-ID:

        <CAATtwDXHkAbZAGgLkU7j7OY7HeLvx+5EnrniTEfOF2Q=eJ5qwA@xxxxxxxxxxxxxx>

Content-Type: text/plain; charset="iso-8859-1"

This problem is appeared with chrome executable:

SELinux is preventing /opt/google/chrome/chrome from execmod access on the file

/opt/google/chrome/chrome.

setroubleshoot suggests to change the label on

'/opt/google/chrome/chrome' how textrel_shlib_t type or to allow

chrome to have execmod access on the chrome file.

But does not happen always (never to me).

Could you give more infos about this behavior ?

Thanks.

--

*Antonio Trande

"Fedora Ambassador"

**mail*: mailto:sagitter@xxxxxxxxxxxxxxxxx <sagitter@xxxxxxxxxxxxxxxxx>

*Homepage*: http://www.fedora-os.org

*Sip Address* : sip:sagitter AT ekiga.net

*Jabber <http://jabber.org/>* :sagitter AT jabber.org

*GPG Key: CFE3479C*

-------------- next part --------------

An HTML attachment was scrubbed...

URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/de723eec/attachment-0001.html

------------------------------

Message: 2

Date: Sat, 24 Sep 2011 16:23:29 +0200

From: Dominick Grift <dominick.grift@xxxxxxxxx>

Subject: Re: execmod access to '/opt/google/chrome/chrome' file

To: selinux@xxxxxxxxxxxxxxxxxxxxxxx

Message-ID: <1316874209.9488.13.camel@x220.mydomain.internal>

Content-Type: text/plain; charset="utf-8"

On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:

> This problem is appeared with chrome executable:

>

> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file

> /opt/google/chrome/chrome.

>

> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.

> But does not happen always (never to me).

>

>

> Could you give more infos about this behavior ?

I can tell you that this is bad behaviour by chrome. I can tell you that

this issue is known but that this issue is obviously not fixed yet.

SElinux protects the system from chrome currently. SElinux is blocking

chrome trying to do bad things.

One could argue that SElinux should not try and protect users by default

(unconfined users) butthat is currently not the case.

there is , i believe, a way to stop selinux trying to protect you from

chromes evil ways.

youu can try and "chcon -t bin_t /opt/google/chrome/chrome-sandbox" or

"chcon -t bin_t /usr/lib/chromium-browser/chrome-sandbox" respectively

depending on where it is located.

Additionally one may be required to toggle the allow_execmem and

allow_execmod booleans to true.

Doing this will leave your system wide open to browser and browser

plugin attacks.

To undo this simply

restorecon /opt/google/chrome/chrome-sandbox /usr/lib/chromium-browser/chrome-sandbox

and toggle the allow_execmem and allow_execmod booleans to their

previous state.

You can also use the mozilla browser, unlike chrome this browser does

not try to hijack your system (at least not yet)

> Thanks.

>

>

> --

> Antonio Trande

> "Fedora Ambassador"

>

> mail: mailto:sagitter@xxxxxxxxxxxxxxxxx

> Homepage: http://www.fedora-os.org

> Sip Address : sip:sagitter AT ekiga.net

> Jabber :sagitter AT jabber.org

> GPG Key: CFE3479C

>

> --

> selinux mailing list

> selinux@xxxxxxxxxxxxxxxxxxxxxxx

> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------

A non-text attachment was scrubbed...

Name: not available

Type: application/pgp-signature

Size: 836 bytes

Desc: This is a digitally signed message part

Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/5feb3108/attachment-0001.bin

------------------------------

Message: 3

Date: Sat, 24 Sep 2011 15:32:36 +0100

From: Trevor Hemsley <trevor.hemsley@xxxxxxxxxxxx>

Subject: Re: execmod access to '/opt/google/chrome/chrome' file

Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx

Message-ID: <4E7DEA04.3050806@xxxxxxxxxxxx>

Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dominick Grift wrote:

> On Sat, 2011-09-24 at 16:06 +0200, Antonio Trande wrote:

>

>> This problem is appeared with chrome executable:

>>

>> SELinux is preventing /opt/google/chrome/chrome from execmod access on the file

>> /opt/google/chrome/chrome.

>>

>> setroubleshoot suggests to change the label on '/opt/google/chrome/chrome' how textrel_shlib_t type or to allow chrome to have execmod access on the chrome file.

>> But does not happen always (never to me).

>>

>>

>> Could you give more infos about this behavior ?

>>

>

> I can tell you that this is bad behaviour by chrome. I can tell you that

> this issue is known but that this issue is obviously not fixed yet.

>

http://code.google.com/p/chromium/issues/detail?id=87704 is the bug

report about it for Chrome.

Attachment:
firefox-selinux

Description: Binary data
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux