| Summary: | SELinux is preventing /opt/google/chrome/chrome from using the 'sys_nice' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | mdeggers |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:5b76676a148884408590b0d9d7c9b31466d58ccd99f677c52470768475f157eb | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-18 08:09:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
We want to dontaudit this. This is now fixed. Apparently DBUS hung up for my userid. I ran Google Chrome successfully on another account. I could not log into any account using KDE, although many KDE applications would still run. After dropping down one kernel version and then moving back up to the current version, Google Chrome works as expected. I'm sure there are less brute-force methods for fixing this problem, but for now I'm up and running. It would be nice if the segmentation faults for the failing applications had a bit more detail in their messages. Please close. |
SELinux is preventing /opt/google/chrome/chrome from using the 'sys_nice' capabilities. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that chrome should have the sys_nice capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0 Target Context unconfined_u:unconfined_r:chrome_sandbox_t:s0 Target Objects Unknown [ capability ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-stable-14.0.835.202-103287 Target RPM Packages Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.40.6-0.fc15.i686 #1 SMP Tue Oct 4 00:51:19 UTC 2011 i686 i686 Alert Count 1 First Seen Mon 17 Oct 2011 11:15:24 AM PDT Last Seen Mon 17 Oct 2011 11:15:24 AM PDT Local ID 539da368-f33e-47d5-8334-9b296d1d67b5 Raw Audit Messages type=AVC msg=audit(1318875324.343:71): avc: denied { sys_nice } for pid=2660 comm="chrome" capability=23 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0 tclass=capability type=SYSCALL msg=audit(1318875324.343:71): arch=i386 syscall=sched_setscheduler success=yes exit=0 a0=3 a1=0 a2=bfa430ac a3=b4684aa0 items=0 ppid=1 pid=2660 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0 key=(null) Hash: chrome,chrome_sandbox_t,chrome_sandbox_t,capability,sys_nice audit2allow #============= chrome_sandbox_t ============== #!!!! This avc is allowed in the current policy allow chrome_sandbox_t self:capability sys_nice; audit2allow -R #============= chrome_sandbox_t ============== #!!!! This avc is allowed in the current policy allow chrome_sandbox_t self:capability sys_nice;