Bug 909707

Summary: SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox from read, append access on the file /home/adellam/.xsession-errors.
Product: [Fedora] Fedora Reporter: Andrea Dell'Amico <adellam>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:4266cf8e1a87264c915aeade2861222fe368a839778ebbffe58e833cc9b34f9b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-04 00:04:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Andrea Dell'Amico 2013-02-10 16:11:10 UTC 
Description of problem:

It started happening after I encrypted my home directory with ecryptfs.


Additional info:
libreport version: 2.0.18
kernel:         3.7.3-101.fc17.x86_64

description:
:SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox from read, append access on the file /home/adellam/.xsession-errors.
:
:*****  Plugin restorecon (93.9 confidence) suggests  *************************
:
:If you want to fix the label. 
:/home/adellam/.xsession-errors default label should be xdm_home_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /home/adellam/.xsession-errors
:
:*****  Plugin leaks (6.10 confidence) suggests  ******************************
:
:If you want to ignore chrome-sandbox trying to read append access the .xsession-errors file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /usr/lib64/chromium-browser/chrome-sandbox /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (1.43 confidence) suggests  ***************************
:
:If you believe that chrome-sandbox should be allowed read append access on the .xsession-errors file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:ecryptfs_t:s0
:Target Objects                /home/adellam/.xsession-errors [ file ]
:Source                        chrome-sandbox
:Source Path                   /usr/lib64/chromium-browser/chrome-sandbox
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           chromium-23.0.1271.95-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-166.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.7.3-101.fc17.x86_64 #1 SMP Fri
:                              Jan 18 17:40:57 UTC 2013 x86_64 x86_64
:Alert Count                   2
:First Seen                    2013-02-10 16:56:26 CET
:Last Seen                     2013-02-10 16:56:26 CET
:Local ID                      1fc7cba2-882b-4132-a7b5-1b0148a298fe
:
:Raw Audit Messages
:type=AVC msg=audit(1360511786.249:455): avc:  denied  { read append } for  pid=9825 comm="chrome-sandbox" path="/home/adellam/.xsession-errors" dev="ecryptfs" ino=134217856 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file
:
:
:type=AVC msg=audit(1360511786.249:455): avc:  denied  { read append } for  pid=9825 comm="chrome-sandbox" path="/home/adellam/.xsession-errors" dev="ecryptfs" ino=134217856 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1360511786.249:455): arch=x86_64 syscall=execve success=yes exit=0 a0=7ff559e4cc48 a1=7ff55c0319f0 a2=7ff559e61d40 a3=7ff53502e710 items=0 ppid=8726 pid=9825 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=4 tty=(none) comm=chrome-sandbox exe=/usr/lib64/chromium-browser/chrome-sandbox subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
:
:Hash: chrome-sandbox,chrome_sandbox_t,ecryptfs_t,file,read,append
:
:audit2allow
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t ecryptfs_t:file { read append };
:
:audit2allow -R
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t ecryptfs_t:file { read append };
:
Comment 1 Andrea Dell'Amico 2013-02-10 16:11:14 UTC 
Created attachment 695812 [details]
File: type
Comment 2 Andrea Dell'Amico 2013-02-10 16:11:17 UTC 
Created attachment 695813 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2013-02-11 12:50:39 UTC 
*** Bug 909709 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2013-02-11 13:35:22 UTC 
I am adding fixes.
Comment 5 Andrea Dell'Amico 2013-02-28 11:18:04 UTC 
It happens when accessing a page that needs the flash plugin.


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 6 Daniel Walsh 2013-02-28 18:03:35 UTC 
This looks like a mislabeled homedir. Your homedir should not be labeled ecryptfs_t?
Comment 7 Andrea Dell'Amico 2013-03-01 12:49:40 UTC 
This is what ecrypfs does when using it to encrypt the home directory.

My setup is the following:

/home is a separate partition, and /home/adellam is encrypted with ecryptfs. The procedure relabeled all the files, and a "restorecon -vR /home" doesn't find anything to fix.
Comment 8 Daniel Walsh 2013-03-01 15:26:09 UTC 
Miroslav didn't some one else have this problem and we fixed it by adding a file labeling equivalence.

Andres if you run 

restorecon -R -v ~/

What happens?
Comment 9 Andrea Dell'Amico 2013-03-01 15:34:09 UTC 

Absolutely nothing:

# restorecon -R -v ~adellam/
# 

The same if I run restorecon -R -v /home
Comment 10 Daniel Walsh 2013-03-01 19:28:54 UTC 
ls -ldZ ~adellam
Comment 11 Andrea Dell'Amico 2013-03-01 21:35:19 UTC 
ls -lZd /home/adellam
drwx------. adellam adellam system_u:object_r:ecryptfs_t:s0  /home/adellam/
Comment 12 Fedora Update System 2013-03-05 14:32:45 UTC 
selinux-policy-3.10.0-168.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-168.fc17
Comment 13 Fedora Update System 2013-03-05 23:30:07 UTC 
Package selinux-policy-3.10.0-168.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-168.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3466/selinux-policy-3.10.0-168.fc17
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2013-04-04 08:31:40 UTC 
selinux-policy-3.10.0-169.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-169.fc17
Comment 15 Fedora Update System 2013-05-04 00:04:31 UTC 
selinux-policy-3.10.0-169.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.