Google Chrome is Broken

[TrevorH]

I changed my mind, it doesn't seem to be SELinux after all! I downloaded it and installed it and got much the same symptoms. This bit can be fixed by running

[code]
export LD_LIBRARY_PATH=/opt/google/chrome
/opt/google/chrome/chrome
[/code]

but then it blows up with a "Failed to move to new PID namespace" message which I find on google means that it has an executable marked suid root and the partition that it's on is mounted nosuid (good!). However, my /opt is on / and that is not mounted nosuid so I'm not quite sure that this is the real problem. The only way I could get further than this was to ssh in as root itself and try running it that way, at which point it starts OK, spits out a message telling me not to be silly enough to run it as root and exits!

I think this lot wants reporting to Google - chrome is broken on RHEL/CentOS 6.0

[z662]

Wow. epic fail...

Im surprised too, I was always under the impression that google wrote relatively good code. Never had/heard of problems like this before. Alas.

[jugoslavgacas]

[quote]Additionally, I am not sure how to create the .te file. I basically just copied your post, threw it into a .mod file (and also tried .te) and then ran those commands but obviously that is not what I am supposed to do. What do I need to do to create the .te file so I can execute those commands?[/quote]

Sorry if my explanation wasn't clear enough. Here is how you can create a policy file...

Create a new file named [font=Courier]googlechrome.te[/font] that contains this code:
[code]
module googlechrome 1.0;

require {
type textrel_shlib_t;
type chrome_sandbox_t;
class file execute_no_trans;
class process setsched;
}

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t textrel_shlib_t:file execute_no_trans;
allow chrome_sandbox_t self:process setsched;
[/code]
Open terminal and go to the directory where you saved [font=Courier]googlechrome.te[/font] file and execute these commands:
[code]
checkmodule -M -m -o googlechrome.mod googlechrome.te
semodule_package -o googlechrome.pp -m googlechrome.mod
semodule -i googlechrome.pp
[/code]

These commands will create and install new policy file that will allow google-chrome to run.

After google fixes the problem you can safely remove policy file you just created by executing
[code]
semodule -r googlechrome.pp
[/code]

[jugoslavgacas]

[quote] changed my mind, it doesn't seem to be SELinux after all! I downloaded it and installed it and got much the same symptoms.[/quote]

You can check [size=56][font=Courier]/var/log/audit/audit.log[/font][/size] for selinux errors when you try to start google-chrome. I used [size=56][font=Courier]tail -f /var/log/audit/audit.log[/font][/size] to watch the log while trying to start the browser and here is AVC message I got:
[code]
type=AVC msg=audit(1316690231.193:236): avc: denied { execute_no_trans } for pid=4812 comm="chrome-sandbox" path="/opt/google/chrome/chrome" dev=dm-0 ino=2368519
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file
[/code]
and also this message after first one was fixed with temp policy file
[code]
type=AVC msg=audit(1316698327.904:29011): avc: denied { setsched } for pid=3360 comm="chrome" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process
[/code]

Based on these messages I created googlechrome.te file using [size=56][font=Courier]audit2allow -m googlechrome -l -i /var/log/audit/audit.log > googlechrome.te[/font][/size] command.

[TrevorH]

OK, it works if you run these two commands as root

[code]
semanage fcontext -a -s system_u -t usr_t /opt/google/chrome/chrome-sandbox
restorecon -v /opt/google/chrome/chrome-sandbox
[/code]

I did also do this as root but this may not be required

[code]
cd /opt/google/chrome
rm libbz2.so.1.0
ln -s /lib/libbz2.so.1.0.4 libbz2.so.1.0
[/code]

[jugoslavgacas]

@TrevorH

Your solution works! Last step is not necessary. Thank you.

[z662]

Just so I understand correctly, are both approaches valid solutions, or do both need to be done (jugoslavgacas AND TrevorH)?

In regards to jugoslavgacas comment of removing the policy when google fixes the issue...how will I know when they fix it if I am using the enabled policy? Does it really matter if the policy is enabled postfix?

[TrevorH]

I think that the semanage change is smaller and is the one I would prefer over the other.

[z662]

Thank you both for your posts and solutions. I felt more comfortable following Trevor's advice and am successfully able to use chrome again! thanks a lot.

So what exactly did I just do? Turn off MAC for chrome??

[TrevorH]

There is an enormous discussion of this problem in a bug report [url=http://code.google.com/p/chromium/issues/detail?id=87704]here[/url]

Now you know as much as I do :-)

Edit: if you wish to revert the change then you can do so just as easily using

[code]
semanage fcontext -d -s system_u -t usr_t /opt/google/chrome/chrome-sandbox
restorecon -v /opt/google/chrome/chrome-sandbox
[/code]

That's advisable if and when google fix the issue.