Bug 589885
| Summary: | SELinux is preventing /opt/google/chrome/chrome-sandbox toegang to a leaked /dev/null files descriptor | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Cesko Voeten <cvoeten> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:185770ef133a3828cc8a0f3e3bf68247bcbaa55955a984c10420184a242b4fa2 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-05-08 12:31:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Cesko Voeten
2010-05-07 08:03:23 UTC
OK, I don't know why this is in Dutch, but I'll attempt to translate: Summary: SELinux is preventing /opt/google/chrome/chrome-sandbox access to a leaked /dev/null files descriptor. Detailed description: [chrome-sandbox has an allowing type (chrome_sandbox_t). This access was not denied.] SELinux is preventing access requested by the chrome-sandbox command. It looks like this, either is a leaking description (should that be: descriptor?), or chrome-sandbox output was rerouted to a file to which access is not allowed. Leaks can usually be ignored since SELinux closes the leak and reports the error. The application does not use the description, so it is running correctly. If this is a rerouting, you will not obtain output in /dev/null. You must create a bugzilla for selinux-policy, and this will be put through of the package in question (I don't understand that sentence in either Dutch or English). You can safely ignore this avc. Allowing access: (that should be spelled "toegang" by the way, not "teogang") You can make a local behaviour-line module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional information: Source of context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target of context unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0 :c0.c1023 Source of objects /dev/null [ fd ] Source chrome-sandbox Path of source /opt/google/chrome/chrome-sandbox Port <Unknowo> Host (removed) Source of RPM packages google-chrome-beta-5.0.375.29-46008 Target RPM packages Behaviour-line RPM selinux-policy-3.7.19-10.fc13 SELinux enabled True Behavioural-line type targeted Enforcing mode Enforcing Plugin-name leaks Hostname (removed) Platform Linux (removed) 2.6.33.3-79.fc13.i686 #1 SMP Mon May 3 23:13:40 UTC 2010 i686 i686 Number of warnings 4 First seen on do 06 mei 2010 15:45:19 CEST Last seen on do 06 mei 2010 15:45:57 CEST Locale ID 2a7f33bc-a4e5-4d87-b0bc-4b788c7438dd Line-numbers Unedited audit's messages node=(verwijderd) type=AVC msg=audit(1273153557.323:60): avc: denied { use } for pid=4352 comm="chrome-sandbox" path="/dev/null" dev=devtmpfs ino=3918 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd node=(verwijderd) type=AVC msg=audit(1273153557.323:60): avc: denied { use } for pid=4352 comm="chrome-sandbox" path="/dev/null" dev=devtmpfs ino=3918 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd node=(verwijderd) type=SYSCALL msg=audit(1273153557.323:60): arch=40000003 syscall=11 success=yes exit=0 a0=bd6da1c a1=bd6daa0 a2=bd6db08 a3=bd6daa0 items=0 ppid=4345 pid=4352 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,chrome-sandbox,chrome_sandbox_t,unconfined_dbusd_t,fd,use audit2allow suggests: #============= chrome_sandbox_t ============== #!!!! This avc can be allowed using the boolean 'allow_domain_fd_use' allow chrome_sandbox_t unconfined_dbusd_t:fd use; The application in question is Google Chrome, it is unfortunately closed source. If that means you can't help me I understand, of course. cvoeten, I only look at the avc data at the bottom. I don't care about the translation. But thanks anyways. The questions is how did you get this to happen. Do you have chrome running as a dbus session service? It can be ignored, but it is very strange that you would have a leaked file descriptor from dbus to chrome. The bug used to occur whenever I would start Chrome. But since today's SELinux policy update, it, for some reason, no longer does. So I guess this bug report can be closed. As for what happened, I don't know much about Chrome's internals, but I know that it sandboxes every browser tab, and it may very well be that those sandboxed tabs communicate with the renderer over dbus. I'll close this bug now as the issue seems to have resolved. Sorry to have wasted your time. |