Bug 886397

Summary: SELinux is preventing Chrome_ChildIOT from 'write' accesses on the file /run/media/aldrian/Application/Chrome-extension/YMailBold/icon.png.
Product: [Fedora] Fedora Reporter: Aldrian Obaja <aldrian_math>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:9602ca7aa0697005b7d41f4e194892ec4ae3c4ddd5ff3f74c81785ad72fdf8a0
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-18 14:25:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Aldrian Obaja 2012-12-12 08:28:16 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.9-2.fc17.i686

description:
:SELinux is preventing Chrome_ChildIOT from 'write' accesses on the file /run/media/aldrian/Application/Chrome-extension/YMailBold/icon.png.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that Chrome_ChildIOT should be allowed write access on the icon.png file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep Chrome_ChildIOT /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:fusefs_t:s0
:Target Objects                /run/media/aldrian/Application/Chrome-
:                              extension/YMailBold/icon.png [ file ]
:Source                        Chrome_ChildIOT
:Source Path                   Chrome_ChildIOT
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.9-2.fc17.i686 #1 SMP Tue Dec 4
:                              14:22:00 UTC 2012 i686 i686
:Alert Count                   2
:First Seen                    2012-12-12 16:25:38 SGT
:Last Seen                     2012-12-12 16:26:14 SGT
:Local ID                      77d7dc29-27da-4d93-92bb-75076518c722
:
:Raw Audit Messages
:type=AVC msg=audit(1355300774.145:149): avc:  denied  { write } for  pid=7037 comm="Chrome_ChildIOT" path="/run/media/aldrian/Application/Chrome-extension/YMailBold/icon.png" dev="sda5" ino=142521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
:
:
:Hash: Chrome_ChildIOT,chrome_sandbox_t,fusefs_t,file,write
:
:audit2allow
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t fusefs_t:file write;
:
:audit2allow -R
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t fusefs_t:file write;
:
Comment 1 Aldrian Obaja 2012-12-12 08:28:19 UTC 
Created attachment 662111 [details]
File: type
Comment 2 Aldrian Obaja 2012-12-12 08:28:21 UTC 
Created attachment 662112 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-12-12 12:16:58 UTC 
Looks like a leak.  Probably can be ignored.
Comment 4 Daniel Walsh 2012-12-12 12:18:03 UTC 
Aldrian, what is this some kind of usb stick with chrome content on it?
Comment 5 Daniel Walsh 2012-12-12 12:18:31 UTC 
*** Bug 886398 has been marked as a duplicate of this bug. ***
Comment 6 Aldrian Obaja 2012-12-12 12:53:44 UTC 
The content it tried to access is in another drive, a Windows partition, which is mounted in the /run/media/aldrian
The Chrome itself is in the Linux partition.
Comment 7 Daniel Walsh 2012-12-17 21:34:49 UTC 
Did anything actually break?  IE did everything seem to work properly?
Comment 8 Aldrian Obaja 2012-12-18 03:13:34 UTC 
I was using this webapp pixlr.com/editor/ and I can't save any file to that location. The app works fine in Windows Chrome.

Hmm, actually after further testing, in fact, it can't save to local drive as well, the page just went plain white after trying to save.
Comment 9 Daniel Walsh 2012-12-18 14:25:40 UTC 
The thing we are trying to prevent with this confinement is the chrome sandbox being able to write to the homedir.  You need to turn off the confinement using

setsebool -P unconfined_chrome_sandbox_transition 1