Bug 676863

Summary: google-chrome :: try to access a file that it shouldn't (CLHEP)
Product: [Fedora] Fedora Reporter: Adrian Sevcenco <adrian.sev>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 14CC: dcantrell, dwalsh, mgrepl, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-11 21:19:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adrian Sevcenco 2011-02-11 15:52:00 UTC 
Description of problem:
i have in my selinux audit logs this :

type=AVC msg=audit(1297435306.238:20321): avc:  denied  { read } for  pid=22631 comm="chrome" name="clhep" dev=sda5 ino=8195388 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file

type=SYSCALL msg=audit(1297435306.238:20321): arch=c000003e syscall=2 success=no exit=-2 a0=7fffb3534570 a1=0 a2=0 a3=2f7065686c632f70 items=0 ppid=0 pid=22631 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

it seems that it tries to access my high energy physics library (CLHEP) location... 
the question is WHY?


Version-Release number of selected component (if applicable):
google-chrome-stable-9.0.597.94-73967.x86_64


How reproducible:
i imagine that having and installed CLHEP library and having the main export variables ($CLHEP_BASE_DIR $CLHEP_INCLUDE_DIR $CLHEP_LIB $CLHEP_LIB_DIR) point to an symlink that points to a version of CLHEP 
and running chrome will give the same audit results


Steps to Reproduce:
1.
2.
3.
  
Actual results:
"SELinux is preventing /opt/google/chrome/chrome from read access on the lnk_file /home/physics-tools/clhep/clhep" 

Expected results:
NOT this access 

Additional info:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t
                              :SystemLow-SystemHigh
Target Context                unconfined_u:object_r:user_home_t:SystemLow

Target Objects                /home/physics-tools/clhep/clhep [ lnk_file ]

Source                        chrome
Source Path                   /opt/google/chrome/chrome

Source RPM Packages           google-chrome-stable-9.0.597.94-73967
Target RPM Packages
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive 

adrian@sev: ~ $ echo $CLHEP_BASE_DIR
/home/physics-tools/clhep/clhep

adrian@sev: ~ $ stat /home/physics-tools/clhep/clhep
  File: `/home/physics-tools/clhep/clhep' -> `/home/physics-tools/clhep/2.1.0.0'
  Size: 33              Blocks: 2          IO Block: 1024   symbolic link
Device: 805h/2053d      Inode: 8195388     Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (  500/  adrian)   Gid: (  500/  adrian)
Access: 2010-11-02 15:10:40.000000000 +0200
Modify: 2010-11-02 15:10:40.000000000 +0200
Change: 2010-11-02 15:10:40.000000000 +0200

adrian@sev: ~ $ ls -lZ /home/physics-tools/clhep/clhep
lrwxrwxrwx. adrian adrian unconfined_u:object_r:user_home_t:SystemLow /home/physics-tools/clhep/clhep -> /home/physics-tools/clhep/2.1.0.0/
Comment 1 Daniel Walsh 2011-02-11 15:57:41 UTC 
Did you start chrome while sitting in this directory?  Where you looking at content in this directory with chrome?  chrome and firefox for that matter leak lots of open file descriptors so this could be a leak from chrome to the sandbox but I seldom if ever have seen a leak of a link file descriptor.
Comment 2 Adrian Sevcenco 2011-02-11 16:07:30 UTC 
nope, negative at both questions ... i start chrome from the menu and i have no idea what working directory have the applications started this way ...
and none of the terminal used had been in that directory ..  it is happening regardless of the state (logout form kde, login again, starting chrome and watch as AVC selinux message appear telling me about what happened)
Comment 3 Stephen Smalley 2011-02-11 16:40:24 UTC 
What does printenv | grep clhep show?
Comment 4 Daniel Walsh 2011-02-11 16:48:19 UTC 
Also anything in .bashrc or .bash_profile?
Comment 5 Adrian Sevcenco 2011-02-11 21:01:21 UTC 
(In reply to comment #4)
> Also anything in .bashrc or .bash_profile?

Well, of course shows a lot! clhep have the bin and libs directories in PATH and in LD_LIBRARY_PATH

.basrc script for clhep:

adrian@sev: ~ $ cat /home/physics-tools/env/clhep_scr 
##
## CLHEP ##
##

export CLHEP_BASE_DIR=${tools}/clhep/clhep

export CLHEP_INCLUDE_DIR=${CLHEP_BASE_DIR}/include
export CLHEP_LIB_DIR=${CLHEP_BASE_DIR}/lib

export PATH=$PATH:${CLHEP_BASE_DIR}/bin
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${CLHEP_LIB_DIR}

export C_INCLUDE_PATH=$C_INCLUDE_PATH:${CLHEP_INCLUDE_DIR}
export CPLUS_INCLUDE_PATH=$CPLUS_INCLUDE_PATH:${CLHEP_INCLUDE_DIR}

but what is connection with chrome???

just for reference i will put here and relevant printenv output:

adrian@sev: ~ $ printenv | grep clhep     
CLHEP_LIB_DIR=/home/physics-tools/clhep/clhep/lib
CPLUS_INCLUDE_PATH=/home/physics-tools/PYTHIA8/include::/home/physics-tools/clhep/clhep/include:/home/physics-tools/geant4/include/:/home/physics-tools/root/root/include:/home/physics-tools/alice/aliroot/include
LD_LIBRARY_PATH=/home/physics-tools/PYTHIA8/lib:/lib:/usr/lib:/usr/local/lib:/usr/X11R6/lib:/lib:/usr/lib:/usr/local/lib:/usr/X11R6/lib:/usr/java/default/jre/lib:/usr/lib64/qt-3.3/lib:/home/adrian/ahome/lib:/home/physics-tools/clhep/clhep/lib:/home/physics-tools/geant4/lib/Linux-g++:/home/physics-tools/clhep/clhep/lib:/lib:/home/physics-tools/geant4/lib/Linux-g++:/home/physics-tools/alien/api/lib:/home/physics-tools/alien/globus/lib:/home/physics-tools/root/root/lib:/home/physics-tools/alice/aliroot/lib/tgt_linuxx8664gcc:/home/physics-tools/alice/geant3/lib/tgt_linuxx8664gcc
PATH=/home/physics-tools/PYTHIA8/bin:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/X11R6/bin:/usr/java/default/jre/bin:/usr/lib64/qt-3.3/bin:.:/home/adrian/ahome/bin:/home/physics-tools/clhep/clhep/bin:/home/adrian/geant4/bin/Linux-g++:/home/physics-tools/alien/api/bin:/home/physics-tools/alien/globus/bin:/home/physics-tools/root/root/bin:/bin:/home/physics-tools/alice/aliroot/bin/tgt_linuxx8664gcc
C_INCLUDE_PATH=/home/physics-tools/PYTHIA8/include::/home/physics-tools/clhep/clhep/include:/home/physics-tools/geant4/include/:/home/physics-tools/root/root/include:/home/physics-tools/alice/aliroot/include
CLHEP_BASE_DIR=/home/physics-tools/clhep/clhep
CLHEP_INCLUDE_DIR=/home/physics-tools/clhep/clhep/include

Thanks for looking into it!
Adrian
Comment 6 Stephen Smalley 2011-02-11 21:15:19 UTC 
If it is in your LD_LIBRARY_PATH, then the dynamic linker will try to search it when starting up any dynamically linked executable, including chrome.  Just dontaudit it.
Comment 7 Adrian Sevcenco 2011-02-11 21:19:12 UTC 
ok, mystery solved! i will add the proper se policy.
Thanks!!