Google Chrome

[scalerman]

I have been without Google Chrome for a few days now since an update. Got another update but it didn't solve the problem and I miss my Google Chrome! Anyway SELinux is blocking it and I can't figure out what I need to do to make it work. Sorry but I need a very, hold my hand and step me through it. Here is the SELinux alert. Thanks in advance for the help.
SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome.

***** Plugin allow_execmod (91.4 confidence) suggests **********************

If you want to allow chrome to have execmod access on the chrome file
Then you need to change the label on '/opt/google/chrome/chrome'
Do
# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
# restorecon -v '/opt/google/chrome/chrome'

***** Plugin catchall (9.59 confidence) suggests ***************************

If you believe that chrome should be allowed execmod access on the chrome file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context system_u:object_r:execmem_exec_t:s0
Target Objects /opt/google/chrome/chrome [ file ]
Source chrome
Source Path /opt/google/chrome/chrome
Port <Unknown>
Host localhost.localdomain
Source RPM Packages google-chrome-stable-14.0.835.186-101821
Target RPM Packages google-chrome-stable-14.0.835.186-101821
Policy RPM selinux-policy-3.9.7-44.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.35.14-96.fc14.i686
#1 SMP Thu Sep 1 12:49:38 UTC 2011 i686 i686
Alert Count 2
First Seen Thu 22 Sep 2011 10:48:43 AM PDT
Last Seen Thu 22 Sep 2011 01:20:27 PM PDT
Local ID af7cea1a-8065-4d23-bb98-816dac7e3c31

Raw Audit Messages
type=AVC msg=audit(1316722827.997:23562): avc: denied { execmod } for pid=3941 comm="chrome" path="/opt/google/chrome/chrome" dev=dm-0 ino=1456521 scontext=unconfined_u:unconfined_r:chrome_sandbox_ t:s0-s0:c0.c1023 tcontext=system_u:object_r:execmem_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1316722827.997:23562): arch=i386 syscall=mprotect success=no exit=EACCES a0=b463b000 a1=31fd000 a2=5 a3=bfbccad0 items=0 ppid=0 pid=3941 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,execmem_exec_t,file,execmo d

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t execmem_exec_t:file execmod;

[phalik]

I'm having the same issue myself

[SomeDamFool]

Code:

# grep chrome /var/log/audit/audit.log | audit2allow -M mypol

Then:

Code:

# semodule -i mypol.pp

Got Chrome working on my laptop, but not my desktop. You can launch it without the sandbox (which is the problem) by making a shortcut or menu entry with the command: /opt/google/chrome/google-chrome --no-sandbox

[scalerman]

Sorry but I need a very, hold my hand and step me through it. Thanks Somedamfool but I will need more info than that. Easy for you Linux people but I struggle with it. Do I go to root and just cut and paste your code? Or do I need to be in a particular folder or text editer? Thanks again.

[GoinEasy9]

There are 2 Bugzilla's I know of working on this problem. I've solved it on most of my installs by following the hints in the AVC error details, but, I'm still having the problem on one laptop.

https://bugzilla.redhat.com/show_bug.cgi?id=730179
https://bugzilla.redhat.com/show_bug.cgi?id=735786

[scalerman]

Thanks Goineasy9. I will wait for the fix rather than a workaround. Just checking to see if I was the only one having a problem. We can probably close this thread. I find Chrome much faster that Firefox. I will leave it to the qualified people. And you are appreciated!

[JamesNZ]

Quote:

Originally Posted by scalerman

Sorry but I need a very, hold my hand and step me through it. Thanks Somedamfool but I will need more info than that. Easy for you Linux people but I struggle with it. Do I go to root and just cut and paste your code? Or do I need to be in a particular folder or text editer? Thanks again.

I'll post this anyway in case someone else comes across it who needs help

The instructions given are preceeded by the # symbol, which means that you need to be root to execute them (normal user symbol is '$'). Open a terminal, type in

Code:

su -
<root password>

Your user symbol should now be a # (which means you are root). Now run the commands SomeDamFool gave you (which is also in the SELinux message).

Code:

# grep chrome /var/log/audit/audit.log | audit2allow -M mypol     <Enter/Return key>
# semodule -i mypol.pp                                            <Enter/Return key>

Looking at the SELinux alert I noticed that there are two alerts, so if above one doesn't work then do the other one as well. Note that for every SELinux alert there should be a workaround included in the message details.

These ones also have the # symbol so they must be done as root too.

Code:

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome     <Enter/Return key>
# restorecon -v '/opt/google/chrome/chrome                               <Enter/Return key>

[scalerman]

Thank you. It is working again. I needed both parts to get it going. One thing some of us newbies need is the "enter" at the end of the line so we know to to it. Other thing I find is that the $ or # sign at the beginning (for this dumbkoff, I paste it all in) means a lot to you very helpful people but confuses things for me! My learning curve. See if I can remember it! Thanks James for the "hold my hand and get me through it" and the other posters. Will I have to do it again after a reboot? I find Chrome much faster than Firefox, plus it has all my bookmarks! I now have them in an html file! Really appreciate the help. So much better than the, "try to find the right department MS"!

[JamesNZ]

Quote:

Originally Posted by scalerman

Will I have to do it again after a reboot?

Don't think so, the changes would have to be reversed for that to happen.

[ventsyv]

Quote:

Originally Posted by JamesNZ

I'll post this anyway in case someone else comes across it who needs help

The instructions given are preceeded by the # symbol, which means that you need to be root to execute them (normal user symbol is '$'). Open a terminal, type in

Code:

su -
<root password>

Your user symbol should now be a # (which means you are root). Now run the commands SomeDamFool gave you (which is also in the SELinux message).

Code:

# grep chrome /var/log/audit/audit.log | audit2allow -M mypol     <Enter/Return key>
# semodule -i mypol.pp                                            <Enter/Return key>

Looking at the SELinux alert I noticed that there are two alerts, so if above one doesn't work then do the other one as well. Note that for every SELinux alert there should be a workaround included in the message details.

These ones also have the # symbol so they must be done as root too.

Code:

# semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome     <Enter/Return key>
# restorecon -v '/opt/google/chrome/chrome                               <Enter/Return key>

Running semodule makes my console hang? Any suggestions? Fedora 15 here (no updates)

[Jeff72]

The selinux helper tells you how to force selinux to allow Google Chrome to run.

At command prompt, switch to the root user and then run the following:

Code:

semanage fcontext -a -t textrel_shlib_t '/opt/google/chrome/chrome'
restorecon -v '/opt/google/chrome/chrome'
grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

I did the above and Google Chrome runs now for me.

---------- Post added at 12:08 AM ---------- Previous post was at 12:05 AM ----------

Quote:

Originally Posted by ventsyv

Running semodule makes my console hang? Any suggestions? Fedora 15 here (no updates)

I would suggest updating your Fedora 15 system.

Also, the semodule command takes awhile to run. Give it time to finish. Should be less than 5 minutes.

[pottzie]

I'm running FC#14 and just ran "yum update." Chrome was part of the update, now SELinux won't let Chrome run.
I tried copying the code from jeff72, and got hosed when I entered the third line:

Code:

[root@kickass larry]# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te
[root@kickass larry]# semodule -i mypol.pp
semodule:  Failed on mypol.pp!

[JamesNZ]

What were the commands given in the SELinux prompt? It may differ slightly from the commands given by Jeff72.

[pottzie]

Here's my output. http://pastebin.com/EKs3Gd6s

[leidonanam]

When using Google Chrome in Fedora 15 , i got some problem , can't access Twitter , Google Docs and I find out a solution for that . Hope it will help you
With x86 :
There is a bug in SELinux in Fedora 15 that will prevent some Chrome extensions, like LastPass and XMarks, from working correctly. To fix this, run the following commands.
For Chrome
cd ~/.config
sudo chcon -Rv unconfined_u:object_r:config_home_t:s0 google-chrome
For Chromium
cd ~/.config
sudo chcon -Rv unconfined_u:object_r:config_home_t:s0 chromium

With x64 :
Adobe is apparently working on a 64 bit version of the Flash plugin, but the beta that is currently available doesn't work very well. And while the 32 bit version of Chrome comes with Flash included, the 64 bit version does not.
The easiest way to get a stable version of Flash running in Chrome is to copy the /usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so to /opt/google/chrome/plugins/. For Chromium users, the plugin directory is /usr/lib64/chromium-browser/plugins/.
If you don't have the nswrapper_32_64.libflashplayer.so file, you can download it from here.
You can see in the screenshot below that my 64 bit version of Chrome is happily running Flash 10.2.

Hope will help you