Bug 1200565
Summary: | SELinux is preventing chrome-sandbox from 'write' accesses on the file oom_score_adj. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 24 | CC: | abracadaber, adam, addath, aleksi, amir007ag, anderson_ad, bizon11rus, chris, circuitsoft, cosimo.cecchi, DecimusXIV, dominick.grift, dwalsh, dzrudy, elemer82, goodmirek, hamed.sako, hx, JamieNeubert, jayabharat, joshua.ryan.escamilla, kola053, kuc4iman, lvrabec, mgrepl, ms, patrys, peljasz, phorneker, plautrba, pmazaingue, pparsons, reyespf, rishianand54, rui.ms.quaresma, sarto1177, sgallagh, shaneever2, stevenkelbley, williambiggs31, zcoalminer, zyxsamys |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:970de26506863147140f7a67a0364a94221f81a69330b256f836a0c5acf4be8b | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-10-31 21:42:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mikhail
2015-03-10 20:46:52 UTC
If you want to use the plugin package Then you must turn off SELinux controls on the Chrome plugins. Do # setsebool -P unconfined_chrome_sandbox_transition 0 Where I can read what this flag allow doing with system? If this is not a top secret this information may be displayed in SEAlert :) And why another chromium based browsers Opera and Vivaldi not cause this alert? Description of problem: I was attempting to run a Google Chrome app from the launch menu... See attached screenshot. The app is to Do List Version-Release number of selected component: selinux-policy-3.13.1-116.fc22.noarch Additional info: reporter: libreport-2.4.0 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc1.git0.1.fc22.x86_64 type: libreport to follow up, this was also reported much earlier as https://bugzilla.redhat.com/show_bug.cgi?id=581256 wherein a great deal of additional discourse explains why this bug is not fixed in SELinux and should be fixed by Chrome developers. please report this bug to Google. reported to google at : https://code.google.com/p/chromium/issues/detail?id=477329 Description of problem: I was just using the lastest version, how rediculous to get it blocked!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc5.git4.1.fc22.x86_64 type: libreport We won't allow this. Here is explonation: https://code.google.com/p/chromium/issues/detail?id=477329#c5 Description of problem: Just opened google chrome stable and was browsing intenet. Version-Release number of selected component: selinux-policy-3.13.1-119.fc22.noarch Additional info: reporter: libreport-2.5.0 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc5.git4.1.fc22.x86_64 type: libreport Description of problem: Started Google Chrome first time Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport Description of problem: opening google-chrome Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport Description of problem: opening chrome Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport Description of problem: clicking on a link in gmail inside chrome Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport Description of problem: Running Chrome 42 (Version 42.0.2311.90 (64-bit)) Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport Description of problem: Just installed Chrome from command cat << EOF > /etc/yum.repos.d/google-chrome.repo [google-chrome] name=google-chrome - \$basearch baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch enabled=1 gpgcheck=1 gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub EOF sudo dnf install google-chrome-stable -y and This came up at first time use. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport Description of problem: It happened when I opened Google Chrome for the first time on a fresh install. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc5.git4.1.fc22.x86_64 type: libreport Description of problem: The problem started when starting GOOGLE CHROME Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport Description of problem: Just open the chrome browser or a new tab in the chrome browser. May need plugins/extensions/apps enabled. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport Description of problem: Every time I open google chrome Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport Description of problem: After install Google Chrome from the official RPM package and running the Google Chrome program this error appeared. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport So the bug is with Chrome, as it is bad practice on their end? commit 32dc28f64b14a4006f0d4cd107ff1f0903c5b7c5 Author: Miroslav Grepl <mgrepl> Date: Wed May 13 13:11:46 2015 +0200 Dontaudit chrome-sandbox write access its parent process information. BZ(1220958) Description of problem: The selinux message surfaced when I launched Google Chrome after a fresh install of Fedora 22. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport Description of problem: Happened when Google Chrome is launched for the first ime. Maybe it tries to set itself as the default browser? Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport Description of problem: Open Browser google Chrome Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport Description of problem: Chrome startup Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport Description of problem: By starting chrome for the first time. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64+debug type: libreport Description of problem: I launched Chrome for the first time, Google login screen appeared and then the error occurred. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch selinux-policy-3.13.1-128.8.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport Description of problem: Google Chrome crashed on start Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport Description of problem: just open chrome and after that SELinux shows me security issue and it show me it cannot write to some files Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport We should adjust the label on oom_score_adj This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase Any updates here? according to the final comment at https://bugs.chromium.org/p/chromium/issues/detail?id=477329 "Restricting further comments. As explained in https://code.google.com/p/chromium/issues/detail?id=477329#c5 https://code.google.com/p/chromium/issues/detail?id=477329#c8 and https://code.google.com/p/chromium/issues/detail?id=477329#c11 this is working as intended." so, google says 'works as intended'. *cough* https://bugzilla.redhat.com/show_bug.cgi?id=581256 (earlier discussion of this) says it's a google-chrome issue not an selinux issue. I dunno who to believe at this point. I would say it is a difference of opinion. From Googles perspective they are just allowing the chrome-sandbox to tell the kernel to pick it, when looking to kill processes on the system if they run out of memory. But from SELinux point of view we can not tell the difference between the chrome browser and other processes on the system. From a MAC point of view, this would say allow the chrome-sandbox to pick any other user process to kill if running out of memory. But even worse then this, it says that the chrome-sandbox could write to the /proc of every process in the user session. If we want to control the chrome-sandbox from a MAC perspective, we don't want to allow this. Bottom line both sides are in some ways correct. This is why you have a boolean and a dontaudit rule. If you don't want MAC confinement of chrome sandbox then you can disable it using # setsebool -P unconfined_chrome_sandbox_transition 0 Or you can ignore the problem with a dontaudit rule and the chrome-sandbox will not be able to say PICKME for killing in an out of memory situation. Closing this BZ as WONTFIX, for more info see comment#35 or http://danwalsh.livejournal.com/34903.html |