LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-09-2012, 03:06 AM   #1
jayantjpr
LQ Newbie
 
Registered: Aug 2011
Location: India
Distribution: RHEL 6.0
Posts: 4

Rep: Reputation: Disabled
Lightbulb Problem with SELinux Policies of Google-chrome in RHEL 6


Hi,

I recently installed Google-chrome on my machine running RHEL 6. Though it worked fine when run as a normal user, there were problems when running it logged in as root user. It told me to specify an alternate --user-data-dir for storage of profile information {i.e. Specifies the directory that user data (your "profile") is kept in }


Even after giving the user data directory, it didn't ran until i changed SELinux to permissive mode(It ran perfectly in permissive mode). I saw the Access Logs in /var/log/audit/audit.log and made a new policy module using audit2allow.

The .te file had the following content :-
-------------
module chromeModule 2.0;

require {
type admin_home_t;
type kernel_t;
type chrome_sandbox_t;
type usr_t;
class capability sys_nice;
class process setsched;
class file { read write execute execute_no_trans };
}

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t admin_home_t:file read;
allow chrome_sandbox_t kernel_t:file write;
allow chrome_sandbox_t self:capability sys_nice;
allow chrome_sandbox_t self: process setsched;
allow chrome_sandbox_t usr_t:file { execute execute_no_trans };

--------------


Even after loading these policies into the kernel, chrome is not running in Enforcing mode.
A review of the /var/log/audit/audit.log (in enforcing mode only) after loading the above policy module show the following logs being formed :-
-------------
type=ANOM_ABEND msg=audit(1336545653.184:241): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 pid=8948 comm="chrome" sig=6
type=ANOM_ABEND msg=audit(1336545653.185:242): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:kernel_t:s0 pid=8951 comm="abrt-hook-ccpp" sig=11

---------------
(there were no AVC logs formed)

No logs are being formed in the permissive mode after loading the policy module.


I would be highly grateful if someone please help me figure out how to run chrome as root. I have no knowledge of the logs of above type.

Thanks in advance.

Regards,
Jayant

Last edited by jayantjpr; 05-09-2012 at 03:11 AM.
 
Old 05-09-2012, 05:14 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 134

Rep: Reputation: 30
Hi Jayant,

It worth reminding you that it is clearly discouraged nowadays to graphically log in as root. And so, many of the common actions one might think of will not work as expected with root in X.

To me the complains of SELinux had first been because Google-Chrome is not allowed access to root user folder (generally /root).
You applied the suggested (not recommanded) advices, and went with the audit2allow actions.
You should be warned that audit2allow do not proposed the "best" solutions to your systems or to solve your problems.
You should consider those suggestions really only as suggestions, and from them reassess your needs to really address your problems and keep your systems safe.

To me it clealry seems that what you allowed after audit2allow suggestions, is not enough. And it fails without more compain.
So you might try to disable the don't audit feature of SELinux
Code:
semanage dontaudit off
and it might shout additional complains in the usual log files.
Hopefully from those additional complains you should figure out what more is required.

Regards,
 
1 members found this post helpful.
Old 05-09-2012, 05:32 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
type=ANOM_ABEND msg=audit(1336545653.184:241): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 pid=8948 comm="chrome" sig=6
type=ANOM_ABEND msg=audit(1336545653.185:242): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:kernel_t:s0 pid=8951 comm="abrt-hook-ccpp" sig=11
Attempting to run chrome in this manner caused a segmentation fault (Signal 11) and aborted the application (Signal 6).
Now, please STOP and think about what this means. In x86 (and AMD) Linux, memory is divided into regions of privilege and if an application attempts to access invalid memory, or memory that it does not own as declared by the descriptors, it will throw a segmentation fault. This is an attempt to prevent an application from doing something invalid or inappropriate at the lowest levels.

Now, lets look at the rules you have chosen to allow in your SELinux policy:
Code:
allow chrome_sandbox_t admin_home_t:file read; 1) allow a sandbox constrained application to read root's home directory
allow chrome_sandbox_t kernel_t:file write; 2) allow a sandbox constrained application to write to the kernel
allow chrome_sandbox_t self:capability sys_nice; 3) allow a sandbox constrained application access to the system-nice function (priority setting)
allow chrome_sandbox_t self: process setsched; 4) allow a sandbox constrained application access to access the scheduler
allow chrome_sandbox_t usr_t:file { execute execute_no_trans }; 5) allow a sandbox constrained application to execute user files.
Is there any particular reason why a web browser, which is deliberately downloading and executing code, from unknown and untrusted locations should be constrained in it's resource access and more importantly, why would you want to bypass these safety mechanisms? There is a reason why this is explicitly prevented both by SELinux and by the system safety mechanisms.

Why are you attempting to run your web browser as root? In fact, you should NOT be logging in and running as root. You should login as a normal user and either switch to root or use SUDO for when you explicitly need to perform a root level operation.

I advise you to seriously rethink what you are attempting to do!
 
1 members found this post helpful.
Old 05-09-2012, 08:19 AM   #4
jayantjpr
LQ Newbie
 
Registered: Aug 2011
Location: India
Distribution: RHEL 6.0
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks Tshimanga and Noway2 for your prudent advice.

@Noway2:
I thank you for helping me understand those logs and also for explaining the code in a better way. Also for warning me about the disastrous consequences.

@Tshimanga:
your suggestion of disabling the don't audit feature of SELinux worked like a piece of cake, and i was able to run chrome as root user in enforcing mode (adding new policies derived from the newly made logs).

I am very well aware of the security risks involved in logging as a root user and also of giving the browser those privileges.
The reason i wanted to run chrome as root was as follows :

1. I like to experiment a lot and find it very boring to again and again login or prefix sudo to the commands. Therefore, for experimentation, i generally log in as root.

2. During such perambulations, i often require web help for which browser is required. I prefer Google-chrome over Mozilla.

3. Now, When Mozilla can run perfectly as root, why can't Google-chrome? To make this happen, i did the above stated steps.

I thank you both for devoting your precious time in explaining to me the consequences of such steps and helping me accomplish what i wanted.

Regards,
Jayant
 
Old 05-09-2012, 09:31 PM   #5
John VV
Guru
 
Registered: Aug 2005
Posts: 13,455

Rep: Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799
RHEL6.2 ( like the ScientificLinux6.2 i am running) still allows root login to Gnome2
BUT it is assumed that system admins KNOW the issues and as such only do it when there is no other good option

Quote:
and find it very boring to again and again login or prefix sudo to the commands.
boo-hoo that is by far not even remotely a good reason

most of us here do not care if you mess up YOUR system BUT that can lead to greater attacks on OUR computers .And that WE DO care about.

Quote:
i often require web help for which browser is required. I prefer Google-chrome over Mozilla.
then why not lunch it AS A NORMAL user
you can have many sessions running at the same time

i often have two or three NORMAL users running in terminals and a root terminal running
 
Old 05-09-2012, 10:26 PM   #6
jayantjpr
LQ Newbie
 
Registered: Aug 2011
Location: India
Distribution: RHEL 6.0
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks JhonVV for your reply.

I am, by no means, trying to support the point that logging by root and then running stuffs like browser is good practice. I myself believe that this could lead to serious damage to OS and poses a big security risk.

I would like to stress that I was JUST experimenting and trying to give google-chrome the same privileges as Mozilla.
Quote:
Now, When Mozilla can run perfectly as root, why can't Google-chrome? To make this happen, i did the above stated steps.
.

The way you suggested :
Quote:
then why not lunch it AS A NORMAL user
you can have many sessions running at the same time

i often have two or three NORMAL users running in terminals and a root terminal running
is indeed the best way and is practiced in general.

Thanks again for your precious time.

Regards,
Jayant
 
  


Reply

Tags
google chrome, rhel 6, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Google Chrome on RHEL 6 | 32 & 64 Bit networking.dept Red Hat 1 03-21-2011 09:30 AM
Google chrome install problem awdoyle Linux - Software 3 01-26-2011 05:35 AM
Installing Google Chrome on RHEL 5.5 - Getting error pssmba Red Hat 2 04-23-2010 06:40 AM
problem to instaling google chrome ramesh14 Linux - Software 5 02-06-2010 09:37 AM
[SOLVED] Problem with Google-Chrome, it not work. ROXR Slackware 3 02-02-2010 10:15 AM


All times are GMT -5. The time now is 06:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration