Fedora

SELinux 阻止 Google Chrome 執行

  • September 22, 2011

我無法再在 Fedora 14(使用 GNOME)上啟動 Google Chrome。

跟踪

strace google-chrome
...
readlink("/proc/self/exe", "/opt/google/chrome/chrome"..., 4096) = 25
socketpair(PF_FILE, SOCK_SEQPACKET, 0, [11, 12]) = 0
stat64("/opt/google/chrome/chrome-sandbox", {st_mode=S_IFREG|S_ISUID|0755, st_size=14008, ...}) = 0
access("/opt/google/chrome/chrome-sandbox", X_OK) = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 13
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb452fae8) = 21093
recvmsg(11, 0xbfc79ac8, 0)              = ? ERESTARTSYS (To be restarted)
--- {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=21093, si_status=0, si_utime=0, si_stime=0} (Child exited) ---
sigreturn()                             = ? (mask now [])
recvmsg(11, /opt/google/chrome/chrome: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied

日誌

fgrep -i chrome /var/log/messages
Sep 17 20:37:08 a kernel: [ 2084.648737] type=1400 audit(1316284628.960:21895): avc:  denied  { execmod } for  pid=20664 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=3147775 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
Sep 17 20:46:25 a kernel: [ 2641.204736] type=1400 audit(1316285185.516:21896): avc:  denied  { execmod } for  pid=21057 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=3147775 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
Sep 17 20:46:33 a kernel: [ 2649.438209] type=1400 audit(1316285193.749:21897): avc:  denied  { execmod } for  pid=21069 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=3147775 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file
Sep 17 20:46:39 a kernel: [ 2655.533882] type=1400 audit(1316285199.845:21898): avc:  denied  { execmod } for  pid=21094 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-1 ino=3147775 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file

系統資訊

# lsb_release -a
LSB Version:    :core-4.0-ia32:core-4.0-noarch
Distributor ID: Fedora
Description:    Fedora release 14 (Laughlin)
Release:    14
Codename:   Laughlin
# uname -a
Linux a 2.6.35.14-96.fc14.i686.PAE #1 SMP Thu Sep 1 12:31:46 UTC 2011 i686 i686 i386 GNU/Linux

包裹資訊

rpm -qa | fgrep google-chrome-stable
google-chrome-stable-14.0.835.163-101024.i386

我懷疑這個問題是由 SELinux 引起的。如何使 SELinux 允許 Google Chrome 正常啟動?

# solution /use it with root/:
semanage fcontext -a  -s system_u  -t usr_t /opt/google/chrome/chrome-sandbox
restorecon -v /opt/google/chrome/chrome-sandbox

http://code.google.com/p/chromium/issues/detail?id=87704

自動重新標記可能會有所幫助。您需要執行以下操作:

作為使用者:

$ restorecon -R -v -F ~

並作為根:

# touch /.autorelabel

然後重新啟動

引用自:https://unix.stackexchange.com/questions/20932

相關問答

Fedora

SELinux:我在哪裡可以找到 Fedora Linux 上 google-chrome 的 selinux 政策?

  • January 13, 2021
檢視問答
Fedora

Fedora 15:Google瀏覽器上的推特

  • June 16, 2011
檢視問答
Linux

對於 fedora,我如何獲取 selinux 策略文件的原始文本源文件,以及其他文件的純文字版本,如 .te 文件?

  • June 2, 2022
檢視問答
Fedora

使用以前的選項卡在啟動時啟動 chrome

  • March 5, 2022
檢視問答
Fedora

systemd-nspawn OS 容器無法使用,因為我無法設置 root 密碼

  • November 26, 2021
檢視問答
Fedora

如何在 Fedora 上為 guix-daemon.service 安裝 SELinux 策略?

  • August 21, 2021
檢視問答