Bug 1028993 - SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file /home/misha/.fonts/webcore/arial.ttf.
SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the f...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-11-11 07:43 EST by Misha Shnurapet
Modified: 2014-08-22 09:08 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-08-22 09:08:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Misha Shnurapet 2013-11-11 07:43:28 EST
Description of problem:
SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file /home/misha/.fonts/webcore/arial.ttf.

*****  Plugin restorecon (66.7 confidence) suggests  *************************

If необходимо исправить метку.
Стандартная метка для /home/misha/.fonts/webcore/arial.ttf: user_fonts_t.
Then можно выполнить restorecon.
# /sbin/restorecon -v /home/misha/.fonts/webcore/arial.ttf

*****  Plugin chrome (33.6 confidence) suggests  *****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
# setsebool -P unconfined_chrome_sandbox_transition 0

*****  Plugin catchall (1.16 confidence) suggests  ***************************

If вы считаете, что chrome следует разрешить доступ read к arial.ttf file по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
чтобы разрешить доступ, выполните:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
Target Context                unconfined_u:object_r:samba_share_t:s0
Target Objects                /home/misha/.fonts/webcore/arial.ttf [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           google-chrome-stable-29.0.1547.76-223446.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.3.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.1-200.fc19.x86_64 #1 SMP Sat
                              Sep 14 15:04:51 UTC 2013 x86_64 x86_64
Alert Count                   174
First Seen                    2013-09-24 19:59:32 IRKT
Last Seen                     2013-09-24 20:17:43 IRKT
Local ID                      226d9560-3922-40b0-a270-d06f7e767035

Raw Audit Messages
type=AVC msg=audit(1380021463.511:764): avc:  denied  { read } for  pid=5854 comm="chrome" path="/home/misha/.fonts/webcore/arial.ttf" dev="sdb4" ino=16097335 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1380021463.511:764): arch=x86_64 syscall=recvmsg success=yes exit=ENOEXEC a0=18 a1=7fff344f6e90 a2=0 a3=7fff344f6fa0 items=0 ppid=6 pid=5854 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,samba_share_t,file,read

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.7-200.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-11-11 15:58:44 EST
Did you label your homedir as samba_share_t?  This is wrong, if you want to share your homedir via samba use samba_enable_home_dirs boolean

man samba_selinux
       If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean. Disabled by default.

       setsebool -P samba_enable_home_dirs 1

If you used semanage fcontext to setup samba_share_t for your homedir, you will need to remove this record and run restorecon.

Note You need to log in before you can comment on or make changes to this bug.