Bug 581457
Summary: | SELinux is preventing /opt/google/chrome/chrome "read" access on /opt/google/chrome/chrome.pak. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Pau Aliagas <linuxnow> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | aaron.j.brown, ajeet.ajeetkumar, alextazy0, anandsngc, ananta_u, avramovski.dragan, beland, carlg, claudiomar.costa, danielvilha, dannyel.olivares, dan.ratje, ddhanlon, dkanunnikau, dwalsh, e_antrobus, edosurina, eric.rannaud, flora.chatz, igal.alkon, im2061, jfelix56, jlbouras, jmorgan, jyoerger, kacper.kawecki, kage0, kdehairy, kenmatrix, kingbiotech, kruvalig, marinalan, mfmagar, mgrepl, m.gruys, msava, msdeleonpeque, mykal.anderson, oaklists, ol.morgan, pakmanj, peter.taylor, r00jb2, rafmaurette, renich, renlei040766, rob.d.wills, ryan, scottt.tw, sgoldber, shawn.giguere, sirebral, slivkam, souza.tales, soylentman, suyalmanoj, terry.denney, wlee |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:61e39c9f7213db513fb0eecaf6b45b2bff2415a2b2436ddf561ced57886df87a | ||
Fixed In Version: | selinux-policy-3.6.32-113.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-05-03 16:09:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pau Aliagas
2010-04-12 10:20:42 UTC
*** Bug 581458 has been marked as a duplicate of this bug. *** *** Bug 581517 has been marked as a duplicate of this bug. *** *** Bug 581455 has been marked as a duplicate of this bug. *** Miroslav add files_read_usr_files(chrome_sandbox_t) Fixed in selinux-policy-3.6.32-111.fc12 This seems to have started occurring after todays update. occurs pretty much everytime i open chrome. Mykal did you try out the newest policy? selinux-policy-3.6.32-111.fc12 I have just now checked and I am up to date. I have done a full restart but still get a SE denial report when I open Chrome (included below). Chrome runs fine but i get this report whenever I open a new tab. I can see in the report that it is using an older version of the policy, but shouldn't that have come with the usual updates? Summary: SELinux is preventing /opt/google/chrome/chrome "read" access on /opt/google/chrome/chrome.pak. Detailed Description: [chrome has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome. It is not expected that this access is required by chrome and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /opt/google/chrome/chrome.pak [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host FedoraBox Source RPM Packages google-chrome-beta-5.0.342.9-43360 Target RPM Packages google-chrome-beta-5.0.342.9-43360 Policy RPM selinux-policy-3.6.32-110.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name FedoraBox Platform Linux FedoraBox 2.6.32.11-99.fc12.i686 #1 SMP Mon Apr 5 16:32:08 EDT 2010 i686 i686 Alert Count 24 First Seen Thu 22 Apr 2010 12:33:44 PM EST Last Seen Thu 22 Apr 2010 09:54:39 PM EST Local ID 6c1d2457-aa74-43d8-b072-1234fa475134 Line Numbers Raw Audit Messages node=FedoraBox type=AVC msg=audit(1271937279.377:16): avc: denied { read } for pid=2257 comm="chrome" name="chrome.pak" dev=dm-0 ino=55806 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file node=FedoraBox type=AVC msg=audit(1271937279.377:16): avc: denied { open } for pid=2257 comm="chrome" name="chrome.pak" dev=dm-0 ino=55806 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file node=FedoraBox type=SYSCALL msg=audit(1271937279.377:16): arch=40000003 syscall=5 per=400000 success=yes exit=9 a0=b77aa94 a1=8000 a2=0 a3=0 items=0 ppid=0 pid=2257 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Mykal, you can install the latest selinux-policy and selinux-policy-targeted packages from Koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=167280 Thanks so much for all your help Miroslav, but unfortunately I get a transaction error when attempting to install the rpm from the site. "selinux-policy-targeted-3.6.32-110.fc12.noarch requires selinux-policy = 3.6.32-110.fc12" I can't see where I can download this file from the site. I understand this is just a flaky notification so I'm happy to bare with it for now, it looks like the policy is just waiting for approval and will come with an update soon, which I have set to check daily. Unless you have another suggestion? selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12 selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12 (In reply to comment #12) > selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing > repository. If problems still persist, please make note of it in this bug > report. > If you want to test the update, you can install it with > su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can > provide feedback for this update here: > http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12 checked, looks ok here. Fedora 12, 64bit checked, looks ok here. Fedora 12, 32bit selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |