Bug 749601

Summary: SEAlert browser troubleshooting information is incorrect for Chrome-sandbox
Product: [Fedora] Fedora Reporter: Martin Thomas <sebuki>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: clydekunkel7734, dominick.grift, dwalsh, fedora, hundred17, johannbg, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d138a8cca346a2d9acaf8892df4e53d1b9d336ac7faec28a76945bbedf488613
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 624506 Environment:
google-chrome-stable-15.0.874.102-106587.x86_64 setroubleshoot-server-3.0.38-1.fc14.x86_64 selinux-policy-3.9.7-44.fc14.noarch
Last Closed: 2012-08-16 14:41:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Thomas 2011-10-27 16:17:18 UTC 
The alert browser has this suggestion for allowing chrome-sandbox access:

You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Unfortunately, this will result in an error message:

# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te


The reason is that the audit log does not have "chrome-sandbox" but instead "chrome_sandbox":


grep chrome_sandbox /var/log/audit/audit.log | tail -1
type=SYSCALL msg=audit(1319725741.759:32692): arch=c000003e syscall=59 success=no exit=-13 a0=7fab72547928 a1=7fab7255c780 a2=7fff449c4a40 a3=7fff449c0860 items=0 ppid=1 pid=14244 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

The solution text should be changed accordingly.
Comment 1 Daniel Walsh 2011-10-27 17:46:41 UTC 
Please attach the actual alert including the AVC.
Comment 2 Fedora End Of Life 2012-08-16 14:41:59 UTC 
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping