Red Hat Bugzilla – Bug 1028993
SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file /home/misha/.fonts/webcore/arial.ttf.
Last modified: 2014-08-22 09:08:44 EDT
Description of problem: SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file /home/misha/.fonts/webcore/arial.ttf. ***** Plugin restorecon (66.7 confidence) suggests ************************* If необходимо исправить метку. Стандартная метка для /home/misha/.fonts/webcore/arial.ttf: user_fonts_t. Then можно выполнить restorecon. Do # /sbin/restorecon -v /home/misha/.fonts/webcore/arial.ttf ***** Plugin chrome (33.6 confidence) suggests ***************************** If you want to use the plugin package Then you must turn off SELinux controls on the Chrome plugins. Do # setsebool -P unconfined_chrome_sandbox_transition 0 ***** Plugin catchall (1.16 confidence) suggests *************************** If вы считаете, что chrome следует разрешить доступ read к arial.ttf file по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep chrome /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:samba_share_t:s0 Target Objects /home/misha/.fonts/webcore/arial.ttf [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Неизвестно> Host (removed) Source RPM Packages google-chrome-stable-29.0.1547.76-223446.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.3.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.1-200.fc19.x86_64 #1 SMP Sat Sep 14 15:04:51 UTC 2013 x86_64 x86_64 Alert Count 174 First Seen 2013-09-24 19:59:32 IRKT Last Seen 2013-09-24 20:17:43 IRKT Local ID 226d9560-3922-40b0-a270-d06f7e767035 Raw Audit Messages type=AVC msg=audit(1380021463.511:764): avc: denied { read } for pid=5854 comm="chrome" path="/home/misha/.fonts/webcore/arial.ttf" dev="sdb4" ino=16097335 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1380021463.511:764): arch=x86_64 syscall=recvmsg success=yes exit=ENOEXEC a0=18 a1=7fff344f6e90 a2=0 a3=7fff344f6fa0 items=0 ppid=6 pid=5854 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chrome,chrome_sandbox_t,samba_share_t,file,read Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.7-200.fc19.x86_64 type: libreport
Did you label your homedir as samba_share_t? This is wrong, if you want to share your homedir via samba use samba_enable_home_dirs boolean man samba_selinux ... If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean. Disabled by default. setsebool -P samba_enable_home_dirs 1 If you used semanage fcontext to setup samba_share_t for your homedir, you will need to remove this record and run restorecon.