Bug 1574392
| Summary: | map AVCs for google-chrome after selinux-policy update | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Pelka <tpelka> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.6 | CC: | lvrabec, mgrepl, mmalik, plautrba, qe-baseos-security, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-199.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1574383 | Environment: | |
| Last Closed: | 2018-10-30 10:03:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1574383, 1574394 | ||
| Bug Blocks: | 1574389 | ||
Also these are related
May 03 08:24:51 placka kernel: type=1400 audit(1525328691.260:690): avc: denied { map } for pid=1650 comm="CompositorTileW" path=2F6465762F73686D2F2E636F6D2E676F6F676C652E4368726F6D652E69706F4E5549202864656C6574656429 dev="tmpfs" ino=268099 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
May 03 08:24:51 placka kernel: type=1400 audit(1525328691.261:691): avc: denied { map } for pid=1650 comm="CompositorTileW" path=2F6465762F73686D2F2E636F6D2E676F6F676C652E4368726F6D652E637649427238202864656C6574656429 dev="tmpfs" ino=268100 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
*** Bug 1574394 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Description of problem: Seems that new map permissions added in -193 denies chrome process.. Version-Release number of selected component (if applicable): kernel-3.10.0-878.el7 selinux-policy-targeted-3.13.1-193.el7 selinux-policy-3.13.1-193.el7 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: May 03 08:21:13 placka kernel: type=1400 audit(1525328473.994:677): avc: denied { map } for pid=31512 comm="chrome" path=2F6465762F73686D2F2E636F6D2E676F6F676C652E4368726F6D652E795965313133202864656C6574656429 dev="tmpfs" ino=176539 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1 May 03 08:21:36 placka kernel: type=1400 audit(1525328496.608:679): avc: denied { map } for pid=31996 comm="chrome" path=2F6465762F73686D2F2E636F6D2E676F6F676C652E4368726F6D652E653050476D71202864656C6574656429 dev="tmpfs" ino=202763 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1 Expected results: Additional info: Wokaround: either setenforce 0 or downgrading to selinux-policy-targeted-3.13.1-192.el7_5.3.noarch selinux-policy-3.13.1-192.el7_5.3 Full list of map related AVC's at https://bugzilla.redhat.com/attachment.cgi?id=1430552