| Summary: | SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file /home/username/.config/google-chrome/Dictionaries/en-US-2-1.bdic. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ethan Bonick <etbonick> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:d7e6daf8b3580f0eba54e8777502a1b0975f3fb5e6260dcd1f43065cfd61c0a2 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-06 14:28:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I updated to the latest Fedora updates and the latest Chrome. I ran Chrome and after a little web browsing the browser stopped working and I got the sealert. Looks looks like your home dir is badly mislabeled. restorecon -R -v /home How did it get badly mislabeled? I changed the username in the path before I submitted the bug, but I haven't touched any SELinux policys on this machine. The user that had an issue is an LDAP based user where I am using sssd to authenticate. Could this have caused something to become mislabeled? (In reply to comment #2) > Looks looks like your home dir is badly mislabeled. > > restorecon -R -v /home This probably was related to google-chrome/Dictionaries and the way how you installed it. Ethan when you ran the command did it change many other labels besides "/home/username/.config/google-chrome/Dictionaries/en-US-2-1.bdic" home_root_t is the default label of content in /home So I am guessing,for some reason the google tools unpacked in /home and then mv'd files around the system. I don't know if it changed any other labels. I logged in as another different ldap user and ran chrome and don't seem to have any issues. The user that had the problem just had it's home directories created just like the second ldap test user. I'll just take it as something somehow got mislabeled and since it seems to be working I won't worry about it. |
SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file /home/username/.config/google-chrome/Dictionaries/en-US-2-1.bdic. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /home/username/.config/google-chrome/Dictionaries/en-US-2-1.bdic default label should be config_home_t. Then you can run restorecon. Do # /sbin/restorecon -v /home/username/.config/google-chrome/Dictionaries/en-US-2-1.bdic ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that chrome should be allowed read access on the en-US-2-1.bdic file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:home_root_t:s0 Target Objects /home/username/.config/google-chrome/Dictionaries /en-US-2-1.bdic [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-stable-14.0.835.202-103287 Target RPM Packages Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.6-0.fc15.x86_64 #1 SMP Tue Oct 4 00:39:50 UTC 2011 x86_64 x86_64 Alert Count 20 First Seen Thu 06 Oct 2011 07:44:30 AM CDT Last Seen Thu 06 Oct 2011 08:15:26 AM CDT Local ID 1ce16995-8e50-4ac6-b6a4-4ca023282506 Raw Audit Messages type=AVC msg=audit(1317906926.404:111): avc: denied { read } for pid=2482 comm="chrome" path="/home/username/.config/google-chrome/Dictionaries/en-US-2-1.bdic" dev=dm-0 ino=1573163 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file type=SYSCALL msg=audit(1317906926.404:111): arch=x86_64 syscall=recvmsg success=yes exit=EPERM a0=15 a1=7f28df6d5e00 a2=40 a3=ffffffff items=0 ppid=1 pid=2482 auid=10000 uid=10000 gid=10000 euid=10000 suid=10000 fsuid=10000 egid=10000 sgid=10000 fsgid=10000 tty=(none) ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,home_root_t,file,read audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t home_root_t:file read; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t home_root_t:file read;