Bug 538310

Summary: SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "read" access on chromium.
Product: [Fedora] Fedora Reporter: Tore Anderson <tore>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:428672b40a5a4dadfeb7bda8dfd89636370815343de9517248c7bf8cfa875b49
Fixed In Version: 3.6.32-49.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-01 16:40:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tore Anderson 2009-11-18 08:55:06 UTC
Summary:

SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "read" access
on chromium.

Detailed Description:

[chromium-browse has a permissive type (chrome_sandbox_t). This access was not
denied.]

SELinux denied access requested by chromium-browse. It is not expected that this
access is required by chromium-browse and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:nfs_t:s0
Target Objects                chromium [ lnk_file ]
Source                        chromium-browse
Source Path                   /usr/lib64/chromium-browser/chromium-browser
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           chromium-4.0.227.0-0.1.20091027svn30269.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.x86_64 #1
                              SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    on. 18. nov. 2009 kl. 09.53 +0000
Last Seen                     on. 18. nov. 2009 kl. 09.53 +0000
Local ID                      b8868d7b-8b75-4c72-9abd-0e7fab083f05
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258534411.183:31913): avc:  denied  { read } for  pid=2424 comm="chromium-browse" name="chromium" dev=0:16 ino=364727 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file

node=(removed) type=SYSCALL msg=audit(1258534411.183:31913): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=3b4a8b8 a1=7fff99e7fe30 a2=7fff99e7fe30 a3=7fff99e7fbc0 items=0 ppid=0 pid=2424 auid=1011 uid=1011 gid=1011 euid=1011 suid=1011 fsuid=1011 egid=1011 sgid=1011 fsgid=1011 tty=(none) ses=2 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,chromium-browse,chrome_sandbox_t,nfs_t,lnk_file,read
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t nfs_t:lnk_file read;

Comment 1 Daniel Walsh 2009-11-18 12:50:46 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-47.fc12.noarch

Comment 2 Fedora Update System 2009-11-23 23:35:29 UTC
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12

Comment 3 Fedora Update System 2009-11-25 15:18:23 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131

Comment 4 Fedora Update System 2009-12-02 04:30:05 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.