Bug 581517

Here is the 3 AVCs i'm getting from Chromium on launch :

1)



Résumé:

SELinux is preventing /opt/google/chrome/chrome "read" access on
/opt/google/chrome/libnss3.so.1d.

Description détaillée:

[chrome a un type permissif (chrome_sandbox_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by chrome. It is not expected that this access
is required by chrome and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:usr_t:s0
Objets du contexte            /opt/google/chrome/libnss3.so.1d [ lnk_file ]
source                        chrome
Chemin de la source           /opt/google/chrome/chrome
Port                          <Inconnu>
Hôte                         BubbleWork.BubbleNet
Paquetages RPM source         google-chrome-unstable-5.0.371.0-43900
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-108.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                BubbleWork.BubbleNet
Plateforme                    Linux BubbleWork.BubbleNet
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Compteur d'alertes            2
Première alerte              lun 12 avr 2010 09:35:31 EDT
Dernière alerte              lun 12 avr 2010 09:38:10 EDT
ID local                      6d039fab-a92c-4aca-91a8-e7d60a572c48
Numéros des lignes           

Messages d'audit bruts        

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.798:31590): avc:  denied  { read } for  pid=3017 comm="chrome" name="libnss3.so.1d" dev=dm-2 ino=4325800 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file

node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1271079490.798:31590): arch=c000003e syscall=2 success=yes exit=4 a0=7fffc84234c0 a1=0 a2=0 a3=6ffffdff items=0 ppid=0 pid=3017 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

2)



Résumé:

SELinux is preventing /opt/google/chrome/chrome "read" access on
/opt/google/chrome/chrome.pak.

Description détaillée:

[chrome a un type permissif (chrome_sandbox_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by chrome. It is not expected that this access
is required by chrome and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:usr_t:s0
Objets du contexte            /opt/google/chrome/chrome.pak [ file ]
source                        chrome
Chemin de la source           /opt/google/chrome/chrome
Port                          <Inconnu>
Hôte                         BubbleWork.BubbleNet
Paquetages RPM source         google-chrome-unstable-5.0.371.0-43900
Paquetages RPM cible          google-chrome-unstable-5.0.371.0-43900
Politique RPM                 selinux-policy-3.6.32-108.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                BubbleWork.BubbleNet
Plateforme                    Linux BubbleWork.BubbleNet
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Compteur d'alertes            4
Première alerte              lun 12 avr 2010 09:35:31 EDT
Dernière alerte              lun 12 avr 2010 09:38:10 EDT
ID local                      884bddd8-8fa6-4752-8518-bf669035fa2f
Numéros des lignes           

Messages d'audit bruts        

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.807:31591): avc:  denied  { read } for  pid=3017 comm="chrome" name="chrome.pak" dev=dm-2 ino=4325396 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.807:31591): avc:  denied  { open } for  pid=3017 comm="chrome" name="chrome.pak" dev=dm-2 ino=4325396 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1271079490.807:31591): arch=c000003e syscall=2 success=yes exit=68719476864 a0=3597c58 a1=0 a2=180 a3=4 items=0 ppid=0 pid=3017 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

3)



Résumé:

SELinux is preventing /opt/google/chrome/chrome "getattr" access on
/opt/google/chrome/chrome.pak.

Description détaillée:

[chrome a un type permissif (chrome_sandbox_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by chrome. It is not expected that this access
is required by chrome and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:usr_t:s0
Objets du contexte            /opt/google/chrome/chrome.pak [ file ]
source                        chrome
Chemin de la source           /opt/google/chrome/chrome
Port                          <Inconnu>
Hôte                         BubbleWork.BubbleNet
Paquetages RPM source         google-chrome-unstable-5.0.371.0-43900
Paquetages RPM cible          google-chrome-unstable-5.0.371.0-43900
Politique RPM                 selinux-policy-3.6.32-108.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                BubbleWork.BubbleNet
Plateforme                    Linux BubbleWork.BubbleNet
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Compteur d'alertes            2
Première alerte              lun 12 avr 2010 09:35:31 EDT
Dernière alerte              lun 12 avr 2010 09:38:10 EDT
ID local                      391ef64c-f211-4e9c-8fbf-da518b6a9de8
Numéros des lignes           

Messages d'audit bruts        

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.807:31592): avc:  denied  { getattr } for  pid=3017 comm="chrome" path="/opt/google/chrome/chrome.pak" dev=dm-2 ino=4325396 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1271079490.807:31592): arch=c000003e syscall=5 success=yes exit=68719476864 a0=9 a1=7fffc84224f0 a2=7fffc84224f0 a3=7fffc8421fa0 items=0 ppid=0 pid=3017 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)