Bug 748315

Summary: SELinux is preventing /opt/google/chrome/chrome from 'getattr' accesses on the file /dev/shm/.com.google.Chrome.HGSGzD (deleted).
Product: [Fedora] Fedora Reporter: Mitrandir <mirvana-dmitry>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dominick.grift, dwalsh, mgrepl, thinkreallydifferent
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d7d4be009312bad0b969543da0940e6d09f895feef6c0b5e584ded3ad0628821
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-16 14:41:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mitrandir 2011-10-24 05:35:11 UTC 
SELinux is preventing /opt/google/chrome/chrome from 'getattr' accesses on the file /dev/shm/.com.google.Chrome.HGSGzD (deleted).

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chrome should be allowed getattr access on the .com.google.Chrome.HGSGzD (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm/.com.google.Chrome.HGSGzD (deleted) [
                              file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           google-chrome-stable-14.0.835.202-103287
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-44.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.14-97.fc14.i686.PAE #1 SMP Sat Sep 17
                              00:22:29 UTC 2011 i686 i686
Alert Count                   5
First Seen                    Mon 24 Oct 2011 08:33:29 AM MSK
Last Seen                     Mon 24 Oct 2011 08:33:30 AM MSK
Local ID                      4b85c57e-f117-4a51-bdeb-6fb53eaacb09

Raw Audit Messages
type=AVC msg=audit(1319434410.266:28692): avc:  denied  { getattr } for  pid=4878 comm="chrome" path=2F6465762F73686D2F2E636F6D2E676F6F676C652E4368726F6D652E484753477A44202864656C6574656429 dev=tmpfs ino=67063 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file


type=SYSCALL msg=audit(1319434410.266:28692): arch=i386 syscall=fstat64 success=no exit=EACCES a0=19 a1=bfb69330 a2=7568fff4 a3=bfb693c4 items=0 ppid=1 pid=4878 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=22 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,tmpfs_t,file,getattr

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t tmpfs_t:file getattr;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t tmpfs_t:file getattr;
Comment 1 Miroslav Grepl 2011-10-24 06:11:56 UTC 
Any idea what process created /dev/shm/.com.google.Chrome.HGSGzD?

Are you able to reproduce it?
Comment 2 Miroslav Grepl 2011-10-24 06:12:21 UTC 
*** Bug 748318 has been marked as a duplicate of this bug. ***
Comment 3 Fedora End Of Life 2012-08-16 14:41:46 UTC 
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping