Bug 964651
Summary: | SELinux is preventing /opt/google/chrome/chrome-sandbox from 'append' accesses on the unix_stream_socket unix_stream_socket. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | vinesh teotia <vineshteotia> |
Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | abyss.7, akg, allyouneedis, anderson_ad, a.passariello, bignikita, brian.murrell, carlos.natividade, dominick.grift, dontbother, drtl, dwalsh, ed.greshko, hatemaker, h-s-silva, johnh, josian2200, keramidasceid, kparal, ktnaane, life.130815, lovenemesis, maj.linux, matthew.javelet, mcnelson, mdeggers, mgrepl, mikhail.v.gavrilov, o.strawinski, paul, rohitbrai, rstrode, sivlemx, subscribed-lists, surfernsk, this.mail.dont.exist, titas.chanda, vineshteotia |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:770ba94ac05ef47e855dd064b059edd8bd8c6d32f81fe3a2d1a3b181f6620d36 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-01-02 22:53:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
vinesh teotia
2013-05-19 11:40:32 UTC
This looks like you are currently logged in as xdm_t? Is this correct? In a terminal window what does "id -Z" show. What login program are you using? *** Bug 964654 has been marked as a duplicate of this bug. *** *** Bug 964655 has been marked as a duplicate of this bug. *** *** Bug 964656 has been marked as a duplicate of this bug. *** *** Bug 964657 has been marked as a duplicate of this bug. *** *** Bug 964666 has been marked as a duplicate of this bug. *** Just installed Fedora 19 x86_64 on a test machine and got exactly the same SELinux alert. I was logged in as me, not xdm_t. $ id -a uid=1000(test) gid=1000(test) groups=1000(test),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I'd previously gotten another alert: SELinux is preventing /opt/google/chrome/chrome from getattr access on the unix_stream_socket unix_stream_socket. I can post the details of that one if it's of interest. (In reply to Paul Dugas from comment #7) > Just installed Fedora 19 x86_64 on a test machine and got exactly the same > SELinux alert. I was logged in as me, not xdm_t. > > $ id -a > uid=1000(test) gid=1000(test) groups=1000(test),10(wheel) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > I'd previously gotten another alert: > > SELinux is preventing /opt/google/chrome/chrome from getattr access on the > unix_stream_socket unix_stream_socket. > > I can post the details of that one if it's of interest. Yes, please. Thank you. Description of problem: every time I use chrome Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.6-301.fc19.x86_64 type: libreport Please append the AVC messages. Description of problem: Fedora 19, updated from F18. Started Chrome Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.8-300.fc19.x86_64 type: libreport Description of problem: started Chrome on F19 Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.8-300.fc19.x86_64 type: libreport Just a bit of potentially irrelevant information..... Running F19, fedup'ed from F18, in a VM (64bit) google-chrome-stable-28.0.1500.70-209565.x86_64 [egreshko@f18x ~]$ uname -r 3.9.8-300.fc19.x86_64 And I do not get that AVC. Description of problem: Acabei de instalar o Fedora 19, estou usando o EasyLive para instalar pacote automaticamente. E derepente aparece esta mensagen de bug. Estou com o Firefox 22 aberto, Naltilus, terminal, e esta janela relatando o bug. Sou grade fá do Fedora, ele é muito bom. Obrigado Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.9-301.fc19.i686 type: libreport Description of problem: Just running Chrome is enough to trigger this problem. Also, one cannot create a local policy file following the troubleshooter guide. Here's the output: [root@trident Security]# grep chrome /var/log/audit/audit.log | audit2allow -M chrome ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i chrome.pp [root@trident Security]# semodule -i chrome.pp libsepol.print_missing_requirements: chrome's global requirements were not met: type/attribute chrome_sandbox_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.9-301.fc19.x86_64 type: libreport grep chrome /var/log/audit/audit.log | audit2allow -M mychrome semodule -i mychrome.pp What login program are you using? gdm? (In reply to Daniel Walsh from comment #17) > What login program are you using? gdm? Yes, and the mission-control SELinux messages are back as well. (In reply to Daniel Walsh from comment #16) > grep chrome /var/log/audit/audit.log | audit2allow -M mychrome > semodule -i mychrome.pp Thanks, that did the trick (at least the local policy is added). Looks like gdm is leaking a unix_stream_socket into the user session. can you run lsof as root after starting chrome and attach it here? Created attachment 771687 [details]
lsof as root after starting Chrome - gdm login, KDE desktop
lsof captured from a KDE session via script. It has been edited to remove the control characters.
Created attachment 771688 [details]
lsof as root after starting Chrome - gdm login,Gnome desktop
lsof captured via script. The output was edited to remove control characters.
so chrome-sandbox has 4 sockets: chrome-sa 1u unix 0xffff88022f208000 0t0 299256 socket chrome-sa 2u unix 0xffff88022f208000 0t0 299256 socket chrome-sa 3u unix 0xffff88022f118000 0t0 303717 socket chrome-sa 5u unix 0xffff88022f118340 0t0 303713 socket If it's leaked, it's going to be the top one. running this: $ cat /tmp/foo |grep 0xffff88022f208000 |grep -iv chrome I see that the socket is present in a bunch of processes including startkde. But it's not in gdm-session-worker (the thing that spawns the session), so i'm really not sure. maybe some pam module? Did you log in with a password or fingerprint? if password, can you attach /etc/pam.d/password-auth and /etc/pam.d/gdm-password ? and if fingerprint /etc/pam.d/finger-print-auth and /etc/pam.d/gdm-fingerprint would be good. (In reply to Ray Strode [halfline] from comment #24) > so chrome-sandbox has 4 sockets: > > chrome-sa 1u unix 0xffff88022f208000 0t0 299256 socket > chrome-sa 2u unix 0xffff88022f208000 0t0 299256 socket > chrome-sa 3u unix 0xffff88022f118000 0t0 303717 socket > chrome-sa 5u unix 0xffff88022f118340 0t0 303713 socket > > If it's leaked, it's going to be the top one. running this: > > $ cat /tmp/foo |grep 0xffff88022f208000 |grep -iv chrome > > I see that the socket is present in a bunch of processes including startkde. > But it's not in gdm-session-worker (the thing that spawns the session), so > i'm really not sure. maybe some pam module? > > Did you log in with a password or fingerprint? if password, can you attach > /etc/pam.d/password-auth and /etc/pam.d/gdm-password ? > > and if fingerprint /etc/pam.d/finger-print-auth and > /etc/pam.d/gdm-fingerprint would be good. Sigh, I see I didn't completely clean up after the upgrade. Although this just recently started, I should probably do the following: 1. Merge the following: fingerprint-auth.rpmnew postlogin.rpmnew system-auth.rpmnew password-auth.rpmnew smartcard-auth.rpmnew 2. Recreate the lsof output Since I've not made changes from the stock configuration, this should be fairly straightforward. I do use a password (this laptop does not have a fingerprint reader). I'll do that shortly, as well as attach password-auth and gdm-password. Created attachment 771752 [details]
lsof as root after starting Chrome - gdm login, KDE desktop
This is after merging all .rpmnew files in /etc/pam.d
Created attachment 771753 [details]
lsof as root after starting Chrome - gdm login, Gnome desktop
This is after the merge of all .rpmnew files in /etc/pam.d
Created attachment 771755 [details]
/etc/pam.d/password-auth
Created attachment 771756 [details]
/etc/pam.d/gdm-password
Description of problem: Opened a folder Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.9-301.fc19.x86_64 type: libreport Description of problem: I guess Nautilus was trying to create a thumbnail of my video file that was just being downloaded. Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.10.3-300.fc19.x86_64 type: libreport Description of problem: Started Chrome Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.10.4-300.fc19.x86_64 type: libreport Description of problem: Opened a folder with PDF files in it ... in ~/Dropbox Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.7-200.fc19.x86_64 type: libreport *** Bug 1028720 has been marked as a duplicate of this bug. *** Description of problem: Scanning an exfat sdcard containing directories with mp3 files Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.5-302.fc20.x86_64 type: libreport Can someone give me the output of id -Z in a terminal window? # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 And Mikhail are you seeing this problem? (In reply to Daniel Walsh from comment #38) > And Mikhail are you seeing this problem? at current time, no The problem went away a long time ago *** Bug 1040592 has been marked as a duplicate of this bug. *** Should not be marked as closed. I just now encountered the bug (in the totem thumbnail viewer program) after a full update. Could you attach the AVC's you are now getting? (In reply to Daniel Walsh from comment #43) > Could you attach the AVC's you are now getting? Here is the text from "Notify Admin" SELinux is preventing /usr/bin/totem-video-thumbnailer from connectto access on the unix_stream_socket @/tmp/dbus-Vt5LVEeu4E. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that totem-video-thumbnailer should be allowed connectto access on the dbus-Vt5LVEeu4E unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects @/tmp/dbus-Vt5LVEeu4E [ unix_stream_socket ] Source totem-video-thu Source Path /usr/bin/totem-video-thumbnailer Port <Unknown> Host tattie Source RPM Packages totem-3.10.1-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tattie Platform Linux tattie 3.12.6-300.fc20.x86_64 #1 SMP Mon Dec 23 16:44:31 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2014-02-15 20:12:41 EST Last Seen 2014-02-23 23:46:51 EST Local ID c4c3ad4d-f90a-48b4-8724-ff4637f8221e Raw Audit Messages type=AVC msg=audit(1393217211.147:529): avc: denied { connectto } for pid=2042 comm="totem-video-thu" path=002F746D702F646275732D5674354C564565753445 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1393217211.147:529): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fffb42fdad0 a2=17 a3=0 items=0 ppid=1850 pid=2042 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: totem-video-thu,thumb_t,xdm_t,unix_stream_socket,connectto Apologies for the delay. It is intermittent. (In reply to mcnelson from comment #45) > Apologies for the delay. It is intermittent. Could you open a new bug for f20 release. This bug is about f19. The bug report was generated on a F20 machine. The bug report tool determined it is a duplicate of this F19 bug. So, you have another bug. I do not know how to manually get around that error in you bug reporting tool, and unfortunately, my schedule at this moment does not allow me to take time away from other tasks to learn about it. If you fix your bug reporting tool, I am happy to report the bug again when it comes up. And, it does it come up regularly on machines that are powered off and on. I encountered this bug on Fedora 20 with totem-video-thumbnailer. There isn't much info reported in SETroublershooter, strangely. Only this: SELinux is preventing /usr/bin/totem-video-thumbnailer from connectto access on the unix_stream_socket . And I'm using MATE with lightdm, not gdm. selinux-policy-targeted-3.12.1-127.fc20.noarch lightdm-1.8.5-2.fc20.x86_64 totem-3.10.1-1.fc20.x86_64 I got this bug on F20. Can we please have it reopened and the Version: set to 20 since it's still happening? SELinux is preventing /usr/bin/totem-video-thumbnailer from connectto access on the unix_stream_socket @/tmp/dbus-bknjsaHcKu. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that totem-video-thumbnailer should be allowed connectto access on the dbus-bknjsaHcKu unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects @/tmp/dbus-bknjsaHcKu [ unix_stream_socket ] Source totem-video-thu Source Path /usr/bin/totem-video-thumbnailer Port <Unknown> Host (removed) Source RPM Packages totem-3.10.1-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux brian-laptop 3.13.4-200.fc20.x86_64 #1 SMP Thu Feb 20 23:00:47 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-02-25 10:01:17 EST Last Seen 2014-03-19 15:03:48 EDT Local ID 23da223c-6689-4e21-be71-06be3148ea92 Raw Audit Messages type=AVC msg=audit(1395255828.29:446): avc: denied { connectto } for pid=2570 comm="totem-video-thu" path=002F746D702F646275732D626B6E6A736148634B75 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1395255828.29:446): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fff8f9b3b00 a2=17 a3=0 items=0 ppid=2266 pid=2570 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 ses=1 tty=(none) comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: totem-video-thu,thumb_t,xdm_t,unix_stream_socket,connectto |