Bug 984208

Summary: SELinux is preventing /opt/google/chrome/chrome from 'write' accesses on the directory ccpp-2013-07-13-16:47:07-3233.
Product: [Fedora] Fedora Reporter: Evgeny <evgeny.kukanov>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:0f20a4f5929e4ec7ed6f84fa035392cf586e9be62984cf947b9f95399b586985
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-01 18:45:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Evgeny 2013-07-13 16:05:43 UTC 
Description of problem:
SELinux is preventing /opt/google/chrome/chrome from 'write' accesses on the directory ccpp-2013-07-13-16:47:07-3233.

*****  Plugin catchall (100. confidence) suggests  ***************************

If вы считаете, что chrome следует разрешить доступ write к ccpp-2013-07-13-16:47:07-3233 directory по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
чтобы разрешить доступ, выполните:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:cache_home_t:s0
Target Objects                ccpp-2013-07-13-16:47:07-3233 [ dir ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           google-chrome-stable-28.0.1500.71-209842.i386
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-170.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.8-100.fc17.i686 #1 SMP Thu Jun
                              27 19:56:32 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-07-13 19:52:53 MSK
Last Seen                     2013-07-13 19:52:53 MSK
Local ID                      ea280736-5bc8-497b-97d9-6585a747721f

Raw Audit Messages
type=AVC msg=audit(1373730773.154:107): avc:  denied  { write } for  pid=5313 comm="chrome" name="ccpp-2013-07-13-16:47:07-3233" dev="sda3" ino=2883585 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1373730773.154:107): arch=i386 syscall=open success=no exit=EACCES a0=b932fa5c a1=8441 a2=1b6 a3=b9357b00 items=0 ppid=0 pid=5313 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,cache_home_t,dir,write

audit2allow

#============= chrome_sandbox_t ==============
#!!!! The source type 'chrome_sandbox_t' can write to a 'dir' of the following types:
# home_cert_t, user_home_dir_t, cgroup_t, tmpfs_t, tmp_t, user_fonts_cache_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmp_t

allow chrome_sandbox_t cache_home_t:dir write;

audit2allow -R

#============= chrome_sandbox_t ==============
#!!!! The source type 'chrome_sandbox_t' can write to a 'dir' of the following types:
# home_cert_t, user_home_dir_t, cgroup_t, tmpfs_t, tmp_t, user_fonts_cache_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmp_t

allow chrome_sandbox_t cache_home_t:dir write;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.8-100.fc17.i686
type:           libreport
Comment 1 Lukas Vrabec 2013-07-19 11:41:30 UTC 
Look like another google chrome bug with saving some tmp files to user homedir. Try to update to version 29, this might fix the bug.
Comment 2 Daniel Walsh 2013-07-22 14:10:51 UTC 
We allow this in F19/F20 I believe, not sure F18, time to update.
Comment 3 Miroslav Grepl 2013-07-26 10:27:26 UTC 
commit d885be6b11d1f09dfb6854c433582864e4e6b721
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jul 26 12:27:16 2013 +0200

    Back port chrome_sandbox_t fixes for #984208
Comment 4 Fedora End Of Life 2013-08-01 18:45:30 UTC 
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.