| Summary: | SELinux is preventing /usr/lib64/chromium-browser/chromium-browser from read, append access on the file /dev/shm/.org.chromium.Chromium.cymVpB (deleted). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Scotty Delicious <scottydelicious> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl, torvalds |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:aa2954760f324134e55a1827b38bac9b7e59cda812550c804dbc3d0806485dac | ||
| Fixed In Version: | selinux-policy-3.10.0-55.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-10 17:30:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I can no longer load any pages in Chromium after the last update. The chromium package is from the Fedora-Chromium repo. yum -y update selinux-policy --enablerepo=updates-testing Now google-chrome just crashes entirely:
[6374:6374:44773344936:ERROR:nacl_fork_delegate_linux.cc(78)] Bad NaCl helper startup ack (0 bytes)
[6368:6368:44773382981:FATAL:zygote_host_linux.cc(198)] Check failed: pid_ > 0. Did not find zygote process (using sandbox binary /opt/google/chrome/chrome-sandbox)
and then it aborts. The raw audit has changed, but is clearly not any better:
Raw Audit Messages
type=AVC msg=audit(1320424800.705:25203): avc: denied { ptrace } for pid=6143 comm="chrome-sandbox" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1320424800.705:25203): arch=x86_64 syscall=getdents success=no exit=EACCES a0=4 a1=13f6068 a2=8000 a3=1 items=0 ppid=6132 pid=6143 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts1 ses=13 comm=chrome-sandbox exe=/opt/google/chrome/chrome-sandbox subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
Please just allow google-chrome to ptrace its children. And please just install google-chrome and *test* your changes. It's not like chrome is some unusual piece of software - it has overtaken firefox as the browser of choice.
Btw, if anybody thinks that selinux rules like this add security, they are just wrong. The *ONLY* thing things like this result in is people saying "selinux is crap" and then turn it off, or turn it into permissive mode and ignore the stupid warnings. We are working with the chrome sanbox people right now to get SELinux and there sandbox to work together. We have fixes in selinux-policy-3.10.0-53 and selinux-policy-3.10.0-54 for this. If you want to turn off SELinux lock down of chrome-sandbox you can by executing setsebool -P unconfined_chrome_sandbox_transition=0 selinux-policy-3.10.0-55.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-55.fc16 selinux-policy-3.10.0-55.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-5.fc16.x86_64 reason: SELinux is preventing /usr/lib64/chromium-browser/chromium-browser from read, append access on the file /dev/shm/.org.chromium.Chromium.cymVpB (deleted). time: Sun Oct 30 12:33:55 2011 description: :SELinux is preventing /usr/lib64/chromium-browser/chromium-browser from read, append access on the file /dev/shm/.org.chromium.Chromium.cymVpB (deleted). : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that chromium-browser should be allowed read append access on the .org.chromium.Chromium.cymVpB (deleted) file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep chromium-browse /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c : 0.c1023 :Target Context unconfined_u:object_r:tmpfs_t:s0 :Target Objects /dev/shm/.org.chromium.Chromium.cymVpB (deleted) [ : file ] :Source chromium-browse :Source Path /usr/lib64/chromium-browser/chromium-browser :Port <Unknown> :Host (removed) :Source RPM Packages chromium-14.0.835.186-1.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-46.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.1.0-5.fc16.x86_64 #1 SMP Thu Oct : 27 03:46:50 UTC 2011 x86_64 x86_64 :Alert Count 10 :First Seen Sun 30 Oct 2011 12:29:54 PM CDT :Last Seen Sun 30 Oct 2011 12:30:30 PM CDT :Local ID da5cd13e-8a55-4ab3-8109-d1381a7a3f9e : :Raw Audit Messages :type=AVC msg=audit(1319995830.222:93): avc: denied { read append } for pid=2540 comm="chromium-browse" path=2F6465762F73686D2F2E6F72672E6368726F6D69756D2E4368726F6D69756D2E63796D567042202864656C6574656429 dev=tmpfs ino=30309 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file : : :type=SYSCALL msg=audit(1319995830.222:93): arch=x86_64 syscall=recvmsg success=yes exit=EPERM a0=13 a1=7fed27bb3000 a2=40 a3=0 items=0 ppid=1 pid=2540 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=chromium-browse exe=/usr/lib64/chromium-browser/chromium-browser subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) : :Hash: chromium-browse,chrome_sandbox_t,tmpfs_t,file,read,append : :audit2allow : :#============= chrome_sandbox_t ============== :allow chrome_sandbox_t tmpfs_t:file { read append }; : :audit2allow -R : :#============= chrome_sandbox_t ============== :allow chrome_sandbox_t tmpfs_t:file { read append }; :