Bug 843589
| Summary: | SELinux breaking Native Client (Google Chrome), regression from F16 | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Roland McGrath <roland> | ||||||||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Ben Levenson <benl> | ||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||
| Priority: | unspecified | ||||||||||||
| Version: | 17 | CC: | carwyn, dwalsh, eparis, mikhail.v.gavrilov, sandro | ||||||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2013-06-07 14:49:06 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Roland McGrath
2012-07-26 17:33:10 UTC
I used 'semodule -DB'. Now I see this:
type=SYSCALL msg=audit(1343325904.660:929): arch=c000003e syscall=4 success=no exit=-13 a0=7fff3fef3a60 a1=7fff3fef39c0 a2=7fff3fef39c0 a3=40275e items=0 ppid=5222 pid=5324 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1343325898.267:930): avc: denied { read write } for pid=5226 comm="nacl_helper_boo" path="socket:[77435]" dev="sockfs" ino=77435 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
Does it work with # ausearch -m avc -su chrome_sandbox_nacl_t |audit2allow -M mypol # semodule -i mypol.pp (In reply to comment #2) > Does it work with > > # ausearch -m avc -su chrome_sandbox_nacl_t |audit2allow -M mypol > # semodule -i mypol.pp Yes, that fixes it. [root@localhost log]# ausearch -m avc -su chrome_sandbox_nacl_t ---- time->Thu Jul 26 11:04:58 2012 type=SYSCALL msg=audit(1343325898.267:930): arch=c000003e syscall=47 success=yes exit=8 a0=3 a1=7fffd720ddb0 a2=0 a3=7fffd720db40 items=0 ppid=1 pid=5226 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm="nacl_helper_boo" exe="/opt/google/chrome/nacl_helper_bootstrap" subj=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1343325898.267:930): avc: denied { read write } for pid=5226 comm="nacl_helper_boo" path="socket:[77435]" dev="sockfs" ino=77435 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket [root@localhost log]# ausearch -m avc -su chrome_sandbox_nacl_t | audit2allow -M mypol WARNING: Policy would be downgraded from version 27 to 26. ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp [root@localhost log]# semodule -B [root@localhost log]# semodule -i mypol.pp Actually I see this rule. Could you update to the latest Fedora and make sure nothing blows up. Thank you. It's improper to close as CURRENTRELEASE without setting "Fixed in Version". It's thoroughly antisocial to close the bug without doing anything whatsoever to verify that it's actually fixed. The current release is the one I reported the bug about, so it's not fixed there. I've also just tried the current updates-testing version, 3.10.0-142, and it is not fixed there. audit2allow -i /tmp/tWARNING: Policy would be downgraded from version 27 to 26.
#============= chrome_sandbox_nacl_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
So we have this currently dontaudited, but we need to allow it.
Fedora 18 has the following
allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
Ok Roland with 3.10.0-142 on Fedora 17 I see both those rules. There seems to be something in SELinux stopping the PPAPI Flash working too. Not sure if this is the same issue. In Chrome 20 it was crashing the entire page in 21 it just breaks the subframes. In Chrome 21 a setenforce 0 fixes the issue. Fedora 17 selinux-policy-targeted-3.10.0-142.fc17.noarch google-chrome-stable-21.0.1180.57-148591.x86_64 Are you seeing any avc messages? Can't see ant avc messages or anything in /var/log/messages or ausearch -m avc I do get this in the terminal chrome was launched in. [WARNING:flash/platform/pepper/pep_filesystem.cpp(152)] Failed to create a temporary file. How can I trace which selinux rule is blocking this? Lets turn off dontaudit rules and see if anything interested gets generated. # semodule -DB Run your test. # semodule -B Will turn back on dontaudit rules. On F17 with all the latest stable updates, I still don't get google-chrome's nacl working. Having disabled dontaudit, I see:
grep denied /var/log/audit/audit.log | grep -e nacl
type=AVC msg=audit(1347265166.606:1408): avc: denied { rlimitinh } for pid=3182 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347265166.606:1408): avc: denied { siginh } for pid=3182 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347265166.606:1408): avc: denied { noatsecure } for pid=3182 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347265166.610:2656): avc: denied { read write } for pid=3182 comm="nacl_helper_boo" path="socket:[52107]" dev="sockfs" ino=52107 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
Piping that through audit2allow:
#============= chrome_sandbox_nacl_t ==============
allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t chrome_sandbox_nacl_t:process { siginh rlimitinh noatsecure };
Also too bad that user not see any SELinux alerts! Sandro, if you add a local policy for this AVC msgs, does it work then? # grep denied /var/log/audit/audit.log | grep -e nacl |audit2allow -M mypol # semodule -i mypol.pp Thank you. Sorry, should have updated the bug yesterday already after I tried exactly that: yes, it works, ever since I added that policy. But this not help for me: # grep denied /var/log/audit/audit.log | grep -e nacl |audit2allow -M mypol Nothing to do And google-chrome output every time when I tried to run nacl application: [0911/061902:ERROR:nacl_helper_linux.cc(260)] nacl_helper: receive from zygote failed, errno = 90 [6:6:0911/121902:ERROR:zygote_linux.cc(445)] Zygote could not fork: process_type nacl-loader numfds 1 child_pid -1 [5980:6010:0911/121902:ERROR:child_process_launcher.cc(283)] Failed to launch child process Google Chrome Version 23.0.1262.0 dev Mikhail, did you turn off the dontaudit rules first? semodule -DB google-chrome <start any NaCl extension/application> semdoule -B Miroslav's instructions will only just work after that, with the current SELinux policy. Thanks, Sandro Mathys I'am got this:
grep denied /var/log/audit/audit.log | grep -e nacl
type=AVC msg=audit(1347344342.629:8147): avc: denied { read write } for pid=5994 comm="nacl_helper_boo" path="socket:[412401688]" dev="sockfs" ino=412401688 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
And now nacl worked in Google chrome.
Why I still not see SELinux alert?
Allowing
type=AVC msg=audit(1347344342.629:8147): avc: denied { read write } for pid=5994 comm="nacl_helper_boo" path="socket:[412401688]" dev="sockfs" ino=412401688 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
is not enough to run the game AirMech
# grep denied /var/log/audit/audit.log | grep -e nacl
type=AVC msg=audit(1347346254.097:98): avc: denied { read write } for pid=1752 comm="nacl_helper_boo" path="socket:[120949]" dev="sockfs" ino=120949 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1347348922.713:229): avc: denied { rlimitinh } for pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347348922.713:229): avc: denied { siginh } for pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347348922.713:229): avc: denied { noatsecure } for pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1347348922.714:230): avc: denied { mmap_zero } for pid=3483 comm="nacl_helper_boo" scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tclass=memprotect
But this is not help, game is not work, and I see that Google Chrome put in console next message:
[338,3047668544:08:00:19.229590] Native Client module will be loaded at base address 0x0000000000000000
[SRPC:HOST:30,2984327296:14:00:32.584074] NaClSrpcRpcWait(channel=0xb84b1318): EOF is received instead of response. Probably, the other side (usually, nacl module or browser plugin) crashed.
What does # ausearch -m user_avc Created attachment 612384 [details]
ausearch -m user_avc
Your avc's indicate a service running as initrc_t which is communicating via dbus with colord. ps -eZ | grep initrc_t It also indicates a process running as wine_t communicating with NetworkManager and systemd_logind_t via dbus. ps -eZ | grep wine_t Nothing about chrome. [mikhail@telecon17l ~]$ su - Password: [root@telecon17l ~]# ps -eZ | grep initrc_t [root@telecon17l ~]# ps -eZ | grep wine_t unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3301 pts/3 00:02:06 SQLyog.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3304 ? 00:01:24 wineserver unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3310 ? 00:00:00 services.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3314 ? 00:00:00 winedevice.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3326 ? 00:00:00 plugplay.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3334 ? 00:00:00 explorer.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3364 pts/3 00:00:07 plink.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 3375 pts/3 00:00:07 plink.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 7900 pts/3 00:00:01 plink.exe unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 7907 pts/3 00:00:01 plink.exe [root@telecon17l ~]# (In reply to comment #25) > Nothing about chrome. too bad Strange that the wine apps no about dbus?
What does
type=AVC msg=audit(1347346254.097:98): avc: denied { read write } for pid=1752 comm="nacl_helper_boo" path="socket:[120949]" dev="sockfs" ino=120949 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
sesearch -A -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket
Show?
If nothing, how about.
sesearch --dontaudit -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket
Created attachment 614199 [details]
ausearch -m user_avc
-bash-4.2# sesearch -A -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket
Found 1 semantic av rules:
allow chrome_sandbox_nacl_t chrome_sandbox_t : unix_dgram_socket { read write } ;
-bash-4.2# sesearch --dontaudit -s chrome_sandbox_nacl_t -t chrome_sandbox_t -c unix_dgram_socket
Found 1 semantic av rules:
dontaudit domain domain : unix_dgram_socket { read write } ;
Trying Fedora 18 and get this error: [331,2961148032:23:40:38.841342] SelLdrLauncher::SetupCommandAndLoad: getting sel_ldr socket address failed [SRPC:HOST:331,2961148032:23:40:38.842106] NaClSrpcInvokeBySignature(channel=0xb9b83e60):missing signature [log:is:] Mikhail are you not getting this in enforcing mode? I meant permissive mode? Fedora 17 output $ getenforce Enforcing Fedora 18 output $ getenforce Enforcing Michail. Can you execute on F18 # semodule -DB run chrome. Collect AVC's # semodule -B And attach them. Created attachment 619142 [details]
audit.log
So I still didn't get any SELinux alerts :( Created attachment 619153 [details]
audit.log
Just to follow up on my comment above about the flash plugin not working. This problem vanished after an update to the policy package. It seemed like it had recurred today but a relabel of the filesystem fixed it. Anyone experiencing problems with selinux and chrome may want to try relabelling before anything else. |