Bug 539977

Summary: SELinux is preventing the /usr/lib64/chromium-browser/chromium-browser from using potentially mislabeled files (/home/yankee/.config/chromium/Dictionaries/nl-NL-1-1.bdic).
Product: [Fedora] Fedora Reporter: Yaakov Nemoy <loupgaroublond>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: bub181, dwalsh, mgrepl, ys.samuel
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:a6c67d89a5b8e3d6eef8e3cddcfbaf62bba9cb4f8cc8897962120eb3d1bd77fe
Fixed In Version: 3.6.32-49.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-01 16:40:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yaakov Nemoy 2009-11-21 20:09:28 UTC 
Samenvatting:

SELinux is preventing the /usr/lib64/chromium-browser/chromium-browser from
using potentially mislabeled files
(/home/yankee/.config/chromium/Dictionaries/nl-NL-1-1.bdic).

Gedetailleerde omschrijving:

[chromium-browse heeft een toelatend type (chrome_sandbox_t). Deze toegang was
niet verboden.]

SELinux has denied chromium-browse access to potentially mislabeled file(s)
(/home/yankee/.config/chromium/Dictionaries/nl-NL-1-1.bdic). This means that
SELinux will not allow chromium-browse to use these files. It is common for
users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Teogang toestaan:

If you want chromium-browse to access this files, you need to relabel them using
restorecon -v '/home/yankee/.config/chromium/Dictionaries/nl-NL-1-1.bdic'. You
might want to relabel the entire directory using restorecon -R -v
'/home/yankee/.config/chromium/Dictionaries'.

Additionele informatie:

Bron context                  unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Doel context                  unconfined_u:object_r:gnome_home_t:s0
Doel objecten                 /home/yankee/.config/chromium/Dictionaries/nl-
                              NL-1-1.bdic [ file ]
Bron                          chromium-browse
Bron pad                      /usr/lib64/chromium-browser/chromium-browser
Poort                         <Onbekend>
Host                          (removed)
Bron RPM pakketten            chromium-4.0.252.0-0.1.20091119svn32498.fc12
Doel RPM pakketten            
Gedragslijn RPM               selinux-policy-3.6.32-41.fc12
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    home_tmp_bad_labels
Hostnaam                      (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov
                              7 21:11:14 EST 2009 x86_64 x86_64
Aantal waarschuwingen         1
Eerst gezien op               za 21 nov 2009 20:21:54 CET
Laatst gezien op              za 21 nov 2009 20:21:54 CET
Locale ID                     78756ff6-e1e2-4fbc-bbd2-40e9d95bdaec
Regelnummers                  

Onbewerkte audit boodschappen 

node=(removed) type=AVC msg=audit(1258831314.450:24072): avc:  denied  { getattr } for  pid=7051 comm="chromium-browse" path="/home/yankee/.config/chromium/Dictionaries/nl-NL-1-1.bdic" dev=dm-2 ino=24893 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gnome_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1258831314.450:24072): arch=c000003e syscall=5 per=400000 success=yes exit=0 a0=15 a1=7fff7b0c7520 a2=7fff7b0c7520 a3=18 items=0 ppid=1 pid=7051 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,home_tmp_bad_labels,chromium-browse,chrome_sandbox_t,gnome_home_t,file,getattr
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t gnome_home_t:file getattr;
Comment 1 Daniel Walsh 2009-11-23 15:09:24 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-48.fc12.noarch
Comment 2 Fedora Update System 2009-11-23 23:39:30 UTC 
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12
Comment 3 Fedora Update System 2009-11-25 15:22:49 UTC 
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131
Comment 4 Fedora Update System 2009-12-02 04:33:59 UTC 
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.