This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 843589

Summary: SELinux breaking Native Client (Google Chrome), regression from F16
Product: [Fedora] Fedora Reporter: Roland McGrath <roland>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WORKSFORME QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: carwyn, dwalsh, eparis, mikhail.v.gavrilov, sandro
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-07 10:49:06 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
ausearch -m user_avc
none
ausearch -m user_avc
none
audit.log
none
audit.log none

Description Roland McGrath 2012-07-26 13:33:10 EDT
Description of problem:
SELinux policy (presumably) breaks Google Chrome's Native Client functionality.
The same versions of Google Chrome work on Fedora 16.

Version-Release number of selected component (if applicable):
3.10.0-140.fc7

How reproducible:
100%

Steps to Reproduce:
1.Install Google Chrome
2.Run 'google-chrome --enable-nacl' from a terminal where you can watch the output.
3.Navigate to http://www.naclbox.com/, select Games, select Duke Nukem.
  
Actual results:
Game does not start fully, error messages on terminal show 'nacl_helper' having communication problems.

Expected results:
Game starts and runs normally.

Additional info:
The problem goes away with 'setenforce Permissive'.
However, I see no setroubleshoot pop-ups, no avc messages I can find in dmesg or /var/log/* nor any denials in /var/log/audit/audit.log.

Is there a way to see any denials that might have their audit logging suppressed?
Comment 1 Roland McGrath 2012-07-26 14:13:20 EDT
I used 'semodule -DB'.  Now I see this:


type=SYSCALL msg=audit(1343325904.660:929): arch=c000003e syscall=4 success=no exit=-13 a0=7fff3fef3a60 a1=7fff3fef39c0 a2=7fff3fef39c0 a3=40275e items=0 ppid=5222 pid=5324 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1343325898.267:930): avc:  denied  { read write } for  pid=5226 comm="nacl_helper_boo" path="socket:[77435]" dev="sockfs" ino=77435 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
Comment 2 Miroslav Grepl 2012-07-27 03:51:17 EDT
Does it work with 

# ausearch -m avc -su chrome_sandbox_nacl_t |audit2allow -M mypol
# semodule -i mypol.pp
Comment 3 Roland McGrath 2012-07-27 12:26:56 EDT
(In reply to comment #2)
> Does it work with 
> 
> # ausearch -m avc -su chrome_sandbox_nacl_t |audit2allow -M mypol
> # semodule -i mypol.pp

Yes, that fixes it.

[root@localhost log]# ausearch -m avc -su chrome_sandbox_nacl_t
----
time->Thu Jul 26 11:04:58 2012
type=SYSCALL msg=audit(1343325898.267:930): arch=c000003e syscall=47 success=yes exit=8 a0=3 a1=7fffd720ddb0 a2=0 a3=7fffd720db40 items=0 ppid=1 pid=5226 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm="nacl_helper_boo" exe="/opt/google/chrome/nacl_helper_bootstrap" subj=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1343325898.267:930): avc:  denied  { read write } for  pid=5226 comm="nacl_helper_boo" path="socket:[77435]" dev="sockfs" ino=77435 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
[root@localhost log]# ausearch -m avc -su chrome_sandbox_nacl_t | audit2allow -M mypol
WARNING: Policy would be downgraded from version 27 to 26.
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@localhost log]# semodule -B
[root@localhost log]# semodule -i mypol.pp
Comment 4 Miroslav Grepl 2012-07-30 06:29:38 EDT
Actually I see this rule. Could you update to the latest Fedora and make sure nothing blows up. Thank you.
Comment 5 Roland McGrath 2012-07-30 12:30:38 EDT
It's improper to close as CURRENTRELEASE without setting "Fixed in Version".
It's thoroughly antisocial to close the bug without doing anything whatsoever to verify that it's actually fixed.

The current release is the one I reported the bug about, so it's not fixed there.
I've also just tried the current updates-testing version, 3.10.0-142, and it is not fixed there.
Comment 6 Daniel Walsh 2012-07-30 15:25:48 EDT
 audit2allow  -i /tmp/tWARNING: Policy would be downgraded from version 27 to 26.


#============= chrome_sandbox_nacl_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };

So we have this currently dontaudited, but we need to allow it.
Comment 7 Daniel Walsh 2012-07-31 11:26:36 EDT
Fedora 18 has the following

allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
Comment 9 Daniel Walsh 2012-08-01 15:42:21 EDT
Ok Roland with 3.10.0-142 on Fedora 17 I see both those rules.
Comment 10 Carwyn Edwards 2012-08-05 09:33:25 EDT
There seems to be something in SELinux stopping the PPAPI Flash working too. Not sure if this is the same issue. In Chrome 20 it was crashing the entire page in 21 it just breaks the subframes. In Chrome 21 a setenforce 0 fixes the issue.

Fedora 17

selinux-policy-targeted-3.10.0-142.fc17.noarch
google-chrome-stable-21.0.1180.57-148591.x86_64
Comment 11 Daniel Walsh 2012-08-06 13:47:29 EDT
Are you seeing any avc messages?
Comment 12 Carwyn Edwards 2012-08-06 16:52:04 EDT
Can't see ant avc messages or anything in /var/log/messages or ausearch -m avc

I do get this in the terminal chrome was launched in.

[WARNING:flash/platform/pepper/pep_filesystem.cpp(152)] Failed to create a temporary file.

How can I trace which selinux rule is blocking this?
Comment 13 Daniel Walsh 2012-08-13 16:24:48 EDT
Lets turn off dontaudit rules and see if anything interested gets generated.

# semodule -DB

Run your test.

# semodule -B 

Will turn back on dontaudit rules.
Comment 14 Sandro Mathys 2012-09-10 04:44:41 EDT
On F17 with all the latest stable updates, I still don't get google-chrome's nacl working. Having disabled dontaudit, I see:


grep denied /var/log/audit/audit.log | grep -e nacl
type=AVC msg=audit(1347265166.606:1408): avc:  denied  { rlimitinh } for  pid=3182 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347265166.606:1408): avc:  denied  { siginh } for  pid=3182 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347265166.606:1408): avc:  denied  { noatsecure } for  pid=3182 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347265166.610:2656): avc:  denied  { read write } for  pid=3182 comm="nacl_helper_boo" path="socket:[52107]" dev="sockfs" ino=52107 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

Piping that through audit2allow:
#============= chrome_sandbox_nacl_t ==============
allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t chrome_sandbox_nacl_t:process { siginh rlimitinh noatsecure };
Comment 15 Mikhail 2012-09-10 04:53:23 EDT
Also too bad that user not see any SELinux alerts!
Comment 16 Miroslav Grepl 2012-09-11 01:53:12 EDT
Sandro,
if you add a local policy for this AVC msgs, does it work then?

# grep denied /var/log/audit/audit.log | grep -e nacl |audit2allow -M mypol
# semodule -i mypol.pp


Thank you.
Comment 17 Sandro Mathys 2012-09-11 01:59:09 EDT
Sorry, should have updated the bug yesterday already after I tried exactly that: yes, it works, ever since I added that policy.
Comment 18 Mikhail 2012-09-11 02:20:17 EDT
But this not help for me:
# grep denied /var/log/audit/audit.log | grep -e nacl |audit2allow -M mypol
Nothing to do


And google-chrome output every time when I tried to run nacl application:
[0911/061902:ERROR:nacl_helper_linux.cc(260)] nacl_helper: receive from zygote failed, errno = 90
[6:6:0911/121902:ERROR:zygote_linux.cc(445)] Zygote could not fork: process_type nacl-loader numfds 1 child_pid -1
[5980:6010:0911/121902:ERROR:child_process_launcher.cc(283)] Failed to launch child process
Comment 19 Mikhail 2012-09-11 02:23:55 EDT
Google Chrome Version 23.0.1262.0 dev
Comment 20 Sandro Mathys 2012-09-11 02:24:52 EDT
Mikhail, did you turn off the dontaudit rules first?

semodule -DB
google-chrome
<start any NaCl extension/application>
semdoule -B

Miroslav's instructions will only just work after that, with the current SELinux policy.
Comment 21 Mikhail 2012-09-11 02:44:53 EDT
Thanks, Sandro Mathys I'am got this:

grep denied /var/log/audit/audit.log | grep -e nacl
type=AVC msg=audit(1347344342.629:8147): avc:  denied  { read write } for  pid=5994 comm="nacl_helper_boo" path="socket:[412401688]" dev="sockfs" ino=412401688 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

And now nacl worked in Google chrome.

Why I still not see SELinux alert?
Comment 22 Mikhail 2012-09-11 04:07:50 EDT
Allowing

type=AVC msg=audit(1347344342.629:8147): avc:  denied  { read write } for  pid=5994 comm="nacl_helper_boo" path="socket:[412401688]" dev="sockfs" ino=412401688 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

is not enough to run the game AirMech

# grep denied /var/log/audit/audit.log | grep -e nacl
type=AVC msg=audit(1347346254.097:98): avc:  denied  { read write } for  pid=1752 comm="nacl_helper_boo" path="socket:[120949]" dev="sockfs" ino=120949 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1347348922.713:229): avc:  denied  { rlimitinh } for  pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347348922.713:229): avc:  denied  { siginh } for  pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347348922.713:229): avc:  denied  { noatsecure } for  pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347348922.714:230): avc:  denied  { mmap_zero } for  pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=memprotect

But this is not help, game is not work, and I see that Google Chrome put in console next message:

[338,3047668544:08:00:19.229590] Native Client module will be loaded at base address 0x0000000000000000
[SRPC:HOST:30,2984327296:14:00:32.584074] NaClSrpcRpcWait(channel=0xb84b1318): EOF is received instead of response. Probably, the other side (usually, nacl module or browser plugin) crashed.
Comment 23 Miroslav Grepl 2012-09-13 04:49:55 EDT
What does

# ausearch -m user_avc
Comment 24 Mikhail 2012-09-13 05:11:33 EDT
Created attachment 612384 [details]
ausearch -m user_avc
Comment 25 Daniel Walsh 2012-09-18 09:51:56 EDT
Your avc's indicate a service running as initrc_t which is communicating via dbus with colord.

ps -eZ | grep initrc_t

It also indicates a process running as wine_t communicating with NetworkManager and systemd_logind_t via dbus.

ps -eZ | grep wine_t

Nothing about chrome.
Comment 26 Mikhail 2012-09-18 10:38:53 EDT
[mikhail@telecon17l ~]$ su -
Password: 
[root@telecon17l ~]# ps -eZ | grep initrc_t
[root@telecon17l ~]# ps -eZ | grep wine_t
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3301 pts/3 00:02:06 SQLyog.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3304 ? 00:01:24 wineserver
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3310 ? 00:00:00 services.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3314 ? 00:00:00 winedevice.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3326 ? 00:00:00 plugplay.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3334 ? 00:00:00 explorer.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3364 pts/3 00:00:07 plink.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3375 pts/3 00:00:07 plink.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 7900 pts/3 00:00:01 plink.exe
unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 7907 pts/3 00:00:01 plink.exe
[root@telecon17l ~]#
Comment 27 Mikhail 2012-09-18 11:16:17 EDT
(In reply to comment #25)
> Nothing about chrome.

too bad
Comment 28 Daniel Walsh 2012-09-18 11:44:25 EDT
Strange that the wine apps no about dbus?

What does

type=AVC msg=audit(1347346254.097:98): avc:  denied  { read write } for  pid=1752 comm="nacl_helper_boo" path="socket:[120949]" dev="sockfs" ino=120949 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

sesearch -A -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket

Show?

If nothing, how about.

sesearch --dontaudit -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket
Comment 29 Mikhail 2012-09-19 01:07:01 EDT
Created attachment 614199 [details]
ausearch -m user_avc
Comment 30 Mikhail 2012-09-19 01:17:12 EDT
-bash-4.2# sesearch -A -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket
Found 1 semantic av rules:
   allow chrome_sandbox_nacl_t chrome_sandbox_t : unix_dgram_socket { read write } ; 

-bash-4.2# sesearch --dontaudit -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket
Found 1 semantic av rules:
   dontaudit domain domain : unix_dgram_socket { read write } ;
Comment 31 Mikhail 2012-09-19 13:41:31 EDT
Trying Fedora 18 and get this error:
[331,2961148032:23:40:38.841342] SelLdrLauncher::SetupCommandAndLoad: getting sel_ldr socket address failed
[SRPC:HOST:331,2961148032:23:40:38.842106] NaClSrpcInvokeBySignature(channel=0xb9b83e60):missing signature [log:is:]
Comment 32 Daniel Walsh 2012-09-19 20:14:38 EDT
Mikhail are you not getting this in enforcing mode?
Comment 33 Daniel Walsh 2012-09-19 20:14:58 EDT
I meant permissive mode?
Comment 34 Mikhail 2012-09-19 22:36:59 EDT
Fedora 17 output
$ getenforce
Enforcing

Fedora 18 output
$ getenforce
Enforcing
Comment 35 Daniel Walsh 2012-09-26 17:47:07 EDT
Michail.

Can you execute on F18

# semodule -DB


run chrome.

Collect AVC's

# semodule -B

And attach them.
Comment 36 Mikhail 2012-09-29 13:20:17 EDT
Created attachment 619142 [details]
audit.log
Comment 37 Mikhail 2012-09-29 13:21:37 EDT
So I still didn't get any SELinux alerts :(
Comment 38 Mikhail 2012-09-29 14:05:11 EDT
Created attachment 619153 [details]
audit.log
Comment 39 Carwyn Edwards 2012-09-29 14:37:01 EDT
Just to follow up on my comment above about the flash plugin not working. This problem vanished after an update to the policy package. It seemed like it had recurred today but a relabel of the filesystem fixed it.

Anyone experiencing problems with selinux and chrome may want to try relabelling before anything else.