Bug 549770

Summary: SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack" access.
Product: [Fedora] Fedora Reporter: ultima.ratio.regum69
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: audit.art, bugzilla, dwalsh, emobuxuti, eng.kimo, geslinux, koolkartik87, luca.botti, marte17, mgrepl, m.gruys, nicolas.gif, otavio.garcia, tore, tristian.celestin, valent.turkovic, vlastimil.holer, wolfgang.rupprecht
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d1e750a02cfb771a8030ef84e091436a7c76ecdb9f85c698317d0d7e8f6fd1e7
Fixed In Version: 3.6.32-66.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-05 23:00:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ultima.ratio.regum69 2009-12-22 16:17:36 UTC 
Résumé:

SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack"
access.

Description détaillée:

[chromium-browse a un type permissif (chrome_sandbox_t). Cet accès n'a pas
été refusé.]

SELinux denied access requested by chromium-browse. It is not expected that this
access is required by chromium-browse and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Contexte cible                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Objets du contexte            None [ process ]
source                        chromium-browse
Chemin de la source           /usr/lib64/chromium-browser/chromium-browser
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         chromium-4.0.273.0-0.1.20091216svn34775.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-59.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31.9 #1 SMP Mon Dec
                              21 19:43:57 CET 2009 x86_64 x86_64
Compteur d'alertes            4
Première alerte              lun. 21 déc. 2009 17:12:58 CET
Dernière alerte              mar. 22 déc. 2009 17:15:43 CET
ID local                      4c031665-d24c-4517-a766-e9b5de6b1c86
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1261498543.951:181): avc:  denied  { execstack } for  pid=2405 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1261498543.951:181): arch=c000003e syscall=10 success=yes exit=0 a0=7fff1460d000 a1=1000 a2=1000007 a3=3d21019b8b items=0 ppid=0 pid=2405 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-59.fc12,catchall,chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,execstack
audit2allow suggests:
audit2allow is not installed.
Comment 1 Daniel Walsh 2009-12-22 17:19:04 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-62.fc12.noarch
Comment 2 ultima.ratio.regum69 2009-12-22 17:29:37 UTC 
thanks
Comment 3 Fedora Update System 2009-12-22 21:56:30 UTC 
selinux-policy-3.6.32-63.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-63.fc12
Comment 4 Fedora Update System 2010-01-04 21:54:04 UTC 
selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12
Comment 5 Fedora Update System 2010-01-05 22:50:07 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184
Comment 6 Fedora Update System 2010-01-05 22:58:25 UTC 
selinux-policy-3.6.32-63.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-01-08 20:04:55 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.