Bug 549708

Summary: SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack" access.
Product: [Fedora] Fedora Reporter: Cristóvão Rufino <cristovaozr>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, eng.kimo, klich.michal, mgrepl, wilborzuppa
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:1f7b6baa128e8b53c60c03318bb0be964d646a6da97c8dc459ffa8c6b0fea23b
Fixed In Version: 3.6.32-66.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-05 23:00:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cristóvão Rufino 2009-12-22 12:58:23 UTC 
Sumário:

SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack"
access.

Descrição detalhada:

[chromium-browse tem um tipo permissivo (chrome_sandbox_t). Esse acesso não foi
negado.]

SELinux denied access requested by chromium-browse. It is not expected that this
access is required by chromium-browse and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Permitindo acesso:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informações adicionais:

Contexto de origem            unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Contexto de destino           unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Objetos de destino            None [ process ]
Origem                        chromium-browse
Caminho da origem             /usr/lib64/chromium-browser/chromium-browser
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         chromium-4.0.273.0-0.1.20091216svn34775.fc12
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-56.fc12
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                catchall
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.31.6-166.fc12.x86_64 #1 SMP Wed
                              Dec 9 10:46:22 EST 2009 x86_64 x86_64
Contador de alertas           3
Visto pela primeira vez em    Ter 22 Dez 2009 08:33:49 BRT
Visto pela última vez em     Ter 22 Dez 2009 09:55:24 BRT
ID local                      599a56f2-956e-4100-92a9-872dafd2d1a3
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1261486524.593:24882): avc:  denied  { execstack } for  pid=2628 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1261486524.593:24882): arch=c000003e syscall=10 success=yes exit=0 a0=7fff8ef2b000 a1=1000 a2=1000007 a3=3975619aeb items=0 ppid=0 pid=2628 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-56.fc12,catchall,chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,execstack
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process execstack;
Comment 1 Cristóvão Rufino 2009-12-22 13:04:16 UTC 
When I updated Chromium SELinux prevented it from loading the /usr/lib64/chromium-browser/libsandbox.so due to 'text relocation'. Reading the Bugzilla report I found this line to bypass this small bug and allow Chromium to run even the problem persisted:

chcon -t textrel_shlib_t '/usr/lib64/chromium-browser/libsandbox.so'

When I entered this command, Chromium could load but then this new SELinux prevention started to show.
Comment 2 Daniel Walsh 2009-12-22 13:59:07 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-62.fc12.noarch
Comment 3 Fedora Update System 2009-12-22 21:56:23 UTC 
selinux-policy-3.6.32-63.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-63.fc12
Comment 4 Fedora Update System 2010-01-04 21:53:56 UTC 
selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12
Comment 5 Fedora Update System 2010-01-05 22:49:58 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184
Comment 6 Fedora Update System 2010-01-05 22:58:16 UTC 
selinux-policy-3.6.32-63.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-01-08 20:04:46 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.