Bug 1193801 - SELinux is preventing chrome-sandbox from 'write' accesses on the file oom_score_adj.
Summary: SELinux is preventing chrome-sandbox from 'write' accesses on the file oom_sc...
Keywords:
Status: CLOSED DUPLICATE of bug 896177
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:970de26506863147140f7a67a03...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-18 09:20 UTC by Mikhail
Modified: 2015-05-12 09:54 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-18 12:48:57 UTC
Type: ---


Attachments (Terms of Use)

Description Mikhail 2015-02-18 09:20:20 UTC
Description of problem:
SELinux is preventing chrome-sandbox from 'write' accesses on the file oom_score_adj.

*****  Plugin chrome (98.5 confidence) suggests   ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
Do
# setsebool -P unconfined_chrome_sandbox_transition 0

*****  Plugin catchall (2.46 confidence) suggests   **************************

If you believe that chrome-sandbox should be allowed write access on the oom_score_adj file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                oom_score_adj [ file ]
Source                        chrome-sandbox
Source Path                   chrome-sandbox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.3.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.18.7-200.fc21.x86_64+debug #1
                              SMP Wed Feb 11 21:35:41 UTC 2015 x86_64 x86_64
Alert Count                   220
First Seen                    2015-02-18 10:10:18 YEKT
Last Seen                     2015-02-18 13:56:31 YEKT
Local ID                      a9cd17bc-185f-4117-8e43-509ed36545b1

Raw Audit Messages
type=AVC msg=audit(1424249791.688:1278): avc:  denied  { write } for  pid=1421 comm="chrome-sandbox" name="oom_score_adj" dev="proc" ino=4881287 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1


Hash: chrome-sandbox,chrome_sandbox_t,unconfined_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64+debug
type:           libreport

Potential duplicate: bug 896177

Comment 1 Lukas Vrabec 2015-02-18 12:48:57 UTC
Follow step in your report to fix your issue.

*****  Plugin chrome (98.5 confidence) suggests   ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
Do
# setsebool -P unconfined_chrome_sandbox_transition 0

Comment 2 Mikhail 2015-02-18 19:50:20 UTC
Lukas, I am don't understand which plugin cause this, or browser itself?

Comment 3 giupardeb 2015-04-15 09:07:05 UTC
Description of problem:
Upgrade tampermonkey plugin

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 4 Mattia 2015-04-15 13:10:42 UTC
Description of problem:
questo bug compare circa ogni 5 minuti mentre uso google chrome ... non c'è una particolare azione o un particolare evento che lo scatena, basta solo navigare con google chrome

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 5 Scott R. Godin 2015-04-15 13:56:33 UTC
see also bug 1200565 and bug 581256 for additional details as to why this will not be fixed in SELinux. please report this bug to Chrome developers at Google

Comment 6 Scott R. Godin 2015-04-15 14:09:16 UTC
reported to google at https://code.google.com/p/chromium/issues/detail?id=477329

Comment 7 Jan Vesely 2015-04-15 15:33:29 UTC
Description of problem:
launched chrome 42

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 8 Robert 2015-04-15 16:27:58 UTC
Description of problem:
I logged intomy system and attempted to open outlook.com on google chrome and this error and the coinciding error reporting process began

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.i686
type:           libreport

Comment 9 Dario Castellarin 2015-04-15 17:08:18 UTC
Description of problem:
Just opened Chrome

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 10 long 2015-04-15 19:58:42 UTC
Description of problem:
chrome is just sitting here.

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 11 mike simpson 2015-04-16 11:34:06 UTC
Description of problem:
opened Chrome
happenes on opening since most recent SELinux policy update
fedora 21
google-chrome-stable (latest)

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 12 Michal Nowak 2015-04-16 12:07:35 UTC
Description of problem:
started Chromium

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 13 Langdon White 2015-04-16 14:50:40 UTC
Description of problem:
I get this error on chrome start. Perhaps related, if I start chrome and then maximize the window by double clicking on the top bar of the frame, gnome-shell crashes with the "whoops and logout button"

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 14 Lukas Vrabec 2015-04-16 17:16:23 UTC
Langdon, 
Did you try suggestion in that report?

Comment 15 Langdon White 2015-04-16 17:31:22 UTC
(In reply to Lukas Vrabec from comment #14)
> Langdon, 
> Did you try suggestion in that report?

Work around seemed to make the selinux warn go away. However, problem still exists and is now reported at https://bugzilla.redhat.com/show_bug.cgi?id=1142225

Comment 16 Scott R. Godin 2015-04-16 21:08:09 UTC
How did all of you miss the earlier mention I made of the original bugzilla report wherein it was clearly stated to be a CHROME not an SELINUX bug, and WHY it would NOT be fixed in SELINUX and WHY it should be reported to GOOGLE as a BUG IN CHROME and the fact that I have already done so? 

please post further instances of this bug report on the CHROME BUG linked above in comment #6 instead of following up further to this issue here. 

> reported to google at
> https://code.google.com/p/chromium/issues/detail?id=477329

Comment 17 kentc1967 2015-04-17 06:58:46 UTC
Description of problem:
It happens as soon as I open Google Chrome stable every time.

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.i686
type:           libreport

Comment 18 Larry 2015-04-17 11:21:03 UTC
Description of problem:
Happened at boot time.

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 19 John Duchek 2015-04-17 13:34:00 UTC
Description of problem:
Chrome used to load the passwords keyringwhen loaded. Now it coughs up this error, and I have to load a password before it will load the others (any password in the keyring).  This did not happen before the latest chrome update.

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 20 Scott R. Godin 2015-04-17 13:49:46 UTC
09:37 AM {113} localhost: ~>$ rpm -qa --last |egrep 'selinux-policy|google-chrome'
google-chrome-stable-42.0.2311.90-1.x86_64    Wed 15 Apr 2015 09:39:10 AM EDT
selinux-policy-targeted-3.13.1-105.11.fc21.noarch Tue 14 Apr 2015 01:31:15 PM EDT
selinux-policy-3.13.1-105.11.fc21.noarch      Tue 14 Apr 2015 01:29:13 PM EDT

As you can see, Selinux-policy was last updated on the 14th, and google-chrome on the 15th. 

now,

09:37 AM {114} localhost: ~>$ journalctl --since 2015-04-01 |grep setroubleshoot 

results in over 800 lines of repeat on the chrome issue, hOWEVER right before that is very telling as to exactly when the chrome bug started to show -- NOT when the policy was updated, but when CHROME was updated:
===

Apr 01 10:31:59 localhost.localdomain setroubleshoot[22122]: SELinux is preventing shutdown from using the sys_resource capability. For complete SELinux messages. run sealert -l 00fb7000-198e-40ba-a7ee-cd4f74559cd7
Apr 02 21:09:42 localhost.localdomain setroubleshoot[25729]: SELinux is preventing shutdown from using the sys_resource capability. For complete SELinux messages. run sealert -l 00fb7000-198e-40ba-a7ee-cd4f74559cd7
Apr 02 21:09:42 localhost.localdomain setroubleshoot[25729]: SELinux is preventing shutdown from using the sys_resource capability. For complete SELinux messages. run sealert -l 00fb7000-198e-40ba-a7ee-cd4f74559cd7
Apr 10 14:49:24 localhost.localdomain yum[28225]: Updated: setroubleshoot-server-3.2.22-1.fc21.x86_64
Apr 10 14:49:32 localhost.localdomain yum[28225]: Updated: setroubleshoot-3.2.22-1.fc21.x86_64
Apr 15 09:46:43 localhost.localdomain setroubleshoot[8331]: Deleting alert 00fb7000-198e-40ba-a7ee-cd4f74559cd7, it is allowed in current policy
Apr 15 09:46:45 localhost.localdomain setroubleshoot[8331]: SELinux is preventing chrome-sandbox from write access on the file oom_score_adj. For complete SELinux messages. run sealert -l 0f9a7a4c-40d9-44dd-b397-36471d0bdbe3
Apr 15 09:46:45 localhost.localdomain setroubleshoot[8331]: SELinux is preventing chrome-sandbox from write access on the file oom_adj. For complete SELinux messages. run sealert -l 0f9a7a4c-40d9-44dd-b397-36471d0bdbe3
Apr 15 09:46:45 localhost.localdomain setroubleshoot[8331]: SELinux is preventing chrome-sandbox from write access on the file oom_score_adj. For complete SELinux messages. run sealert -l 0f9a7a4c-40d9-44dd-b397-36471d0bdbe3
Apr 15 09:46:45 localhost.localdomain setroubleshoot[8331]: SELinux is preventing chrome-sandbox from write access on the file oom_adj. For complete SELinux messages. run sealert -l 0f9a7a4c-40d9-44dd-b397-36471d0bdbe3

... ad infinitum out to a total so far of 841 lines to date...

===

notice the dates? I was running chrome right before manually updating it via yum, and restarted it after the update, moments later, and promptly started seeing the messages.

_Chrome problem_. Please follow up with: https://code.google.com/p/chromium/issues/detail?id=477329

Comment 21 Jan Vesely 2015-04-17 15:15:55 UTC
(In reply to Scott R. Godin from comment #20)
> notice the dates? I was running chrome right before manually updating it via
> yum, and restarted it after the update, moments later, and promptly started
> seeing the messages.
> 
> _Chrome problem_. Please follow up with:
> https://code.google.com/p/chromium/issues/detail?id=477329

it'd be easier to do if the link you keep posting was not access restricted ("403. That’s an error.")

Comment 22 phil 2015-04-18 09:42:11 UTC
Description of problem:
started chrome.

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 23 zcoalminer 2015-04-19 03:28:25 UTC
Description of problem:
this appeared after I opened the chrome brower newest version, How rediculous to get this blocked!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 24 vnc 2015-04-20 10:29:54 UTC
Description of problem:
Open Chrome-browser via Gnome
Open "Files" via Gnome

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 25 Davide Repetto 2015-04-20 14:51:56 UTC
Description of problem:
Opening Crome Beta gives the error.

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 26 Davide Repetto 2015-04-20 14:53:08 UTC
Bug 581256 had fixed this problem that now seems to be back...

Comment 27 Yago Souza Oliveira 2015-04-20 16:55:34 UTC
Description of problem:
Open a Chrome

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 28 Scott R. Godin 2015-04-21 20:41:39 UTC
(In reply to Jan Vesely from comment #21)
> (In reply to Scott R. Godin from comment #20)
> > notice the dates? I was running chrome right before manually updating it via
> > yum, and restarted it after the update, moments later, and promptly started
> > seeing the messages.
> > 
> > _Chrome problem_. Please follow up with:
> > https://code.google.com/p/chromium/issues/detail?id=477329
> 
> it'd be easier to do if the link you keep posting was not access restricted
> ("403. That’s an error.")

doesn't seem to be here -- I can view the ticket whether I'm logged into Gmail or not. Possibly there's a network outage for you at the time you were accessing this?

Some other issue?

Comment 29 cbluth 2015-04-23 15:58:59 UTC
Description of problem:
opened chrome

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 30 Markus Schulze 2015-04-24 21:03:21 UTC
Description of problem:
startet chrome with chrome addon "Inbox by Gmail"

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 31 Joshua M. Hughes 2015-04-26 13:05:41 UTC
Description of problem:
Google Hangouts Chrome Plugin started.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.4-200.fc21.x86_64
type:           libreport

Comment 32 Andrey Shedko 2015-04-28 07:32:11 UTC
Description of problem:
On chrome stratup, after a system update.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.1-201.fc21.x86_64
type:           libreport

Comment 33 Andrey Shedko 2015-04-28 09:48:03 UTC
Description of problem:
On login.Chrome running.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.1-201.fc21.x86_64
type:           libreport

Comment 34 ibekwe.victor 2015-04-28 11:46:39 UTC
Description of problem:
1. Installed Intel Graphics Installer with Fedora default software manager and rebooted the system.
2. Opened chrome which was previously closed abruptly while rebooting the computer.
3. Apparition of the SELinux chrome-sandbox write accesses message.

* I don't know if this problem can be reproduced.

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 35 David Poulsen 2015-04-29 08:38:59 UTC
Description of problem:
Installed Google Chrome

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 36 cigefi 2015-04-29 16:25:47 UTC
Description of problem:
I launched Google Chrome and then presented the problem the problem occurred

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 37 philbates35 2015-04-30 09:24:54 UTC
Description of problem:
Every time I open Chrome this message appears in the notification tray.

I am using the official Google Chrome repository, version 42.0.2311.135-1.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.4-200.fc21.x86_64
type:           libreport

Comment 38 Miroslav Grepl 2015-05-12 09:54:07 UTC

*** This bug has been marked as a duplicate of bug 896177 ***


Note You need to log in before you can comment on or make changes to this bug.