Description of problem: SELinux is preventing chrome-sandbox from 'write' accesses on the file oom_score_adj. ***** Plugin chrome (98.5 confidence) suggests **************************** If you want to use the plugin package Then you must turn off SELinux controls on the Chrome plugins. Do # setsebool -P unconfined_chrome_sandbox_transition 0 ***** Plugin catchall (2.46 confidence) suggests ************************** If you believe that chrome-sandbox should be allowed write access on the oom_score_adj file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects oom_score_adj [ file ] Source chrome-sandbox Source Path chrome-sandbox Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-116.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.0-0.rc2.git0.1.fc22.x86_64 #1 SMP Tue Mar 3 21:24:17 UTC 2015 x86_64 x86_64 Alert Count 141 First Seen 2015-03-11 01:18:37 YEKT Last Seen 2015-03-11 01:45:54 YEKT Local ID 5ad89153-4afd-4cff-b59a-aca8bcfcf679 Raw Audit Messages type=AVC msg=audit(1426020354.763:876): avc: denied { write } for pid=7673 comm="chrome-sandbox" name="oom_score_adj" dev="proc" ino=199187 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=0 Hash: chrome-sandbox,chrome_sandbox_t,unconfined_t,file,write Version-Release number of selected component: selinux-policy-3.13.1-116.fc22.noarch Additional info: reporter: libreport-2.4.0 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc2.git0.1.fc22.x86_64 type: libreport Potential duplicate: bug 896177
If you want to use the plugin package Then you must turn off SELinux controls on the Chrome plugins. Do # setsebool -P unconfined_chrome_sandbox_transition 0
Where I can read what this flag allow doing with system? If this is not a top secret this information may be displayed in SEAlert :) And why another chromium based browsers Opera and Vivaldi not cause this alert?
Description of problem: I was attempting to run a Google Chrome app from the launch menu... See attached screenshot. The app is to Do List Version-Release number of selected component: selinux-policy-3.13.1-116.fc22.noarch Additional info: reporter: libreport-2.4.0 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc1.git0.1.fc22.x86_64 type: libreport
to follow up, this was also reported much earlier as https://bugzilla.redhat.com/show_bug.cgi?id=581256 wherein a great deal of additional discourse explains why this bug is not fixed in SELinux and should be fixed by Chrome developers. please report this bug to Google.
reported to google at : https://code.google.com/p/chromium/issues/detail?id=477329
Description of problem: I was just using the lastest version, how rediculous to get it blocked!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc5.git4.1.fc22.x86_64 type: libreport
We won't allow this. Here is explonation: https://code.google.com/p/chromium/issues/detail?id=477329#c5
Description of problem: Just opened google chrome stable and was browsing intenet. Version-Release number of selected component: selinux-policy-3.13.1-119.fc22.noarch Additional info: reporter: libreport-2.5.0 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc5.git4.1.fc22.x86_64 type: libreport
Description of problem: Started Google Chrome first time Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport
Description of problem: opening google-chrome Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport
Description of problem: opening chrome Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport
Description of problem: clicking on a link in gmail inside chrome Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport
Description of problem: Running Chrome 42 (Version 42.0.2311.90 (64-bit)) Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport
Description of problem: Just installed Chrome from command cat << EOF > /etc/yum.repos.d/google-chrome.repo [google-chrome] name=google-chrome - \$basearch baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch enabled=1 gpgcheck=1 gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub EOF sudo dnf install google-chrome-stable -y and This came up at first time use. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-1.fc22.x86_64 type: libreport
Description of problem: It happened when I opened Google Chrome for the first time on a fresh install. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.0-0.rc5.git4.1.fc22.x86_64 type: libreport
Description of problem: The problem started when starting GOOGLE CHROME Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
Description of problem: Just open the chrome browser or a new tab in the chrome browser. May need plugins/extensions/apps enabled. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
Description of problem: Every time I open google chrome Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
Description of problem: After install Google Chrome from the official RPM package and running the Google Chrome program this error appeared. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
So the bug is with Chrome, as it is bad practice on their end?
commit 32dc28f64b14a4006f0d4cd107ff1f0903c5b7c5 Author: Miroslav Grepl <mgrepl> Date: Wed May 13 13:11:46 2015 +0200 Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
Description of problem: The selinux message surfaced when I launched Google Chrome after a fresh install of Fedora 22. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport
Description of problem: Happened when Google Chrome is launched for the first ime. Maybe it tries to set itself as the default browser? Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport
Description of problem: Open Browser google Chrome Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport
Description of problem: Chrome startup Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
Description of problem: By starting chrome for the first time. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64+debug type: libreport
Description of problem: I launched Chrome for the first time, Google login screen appeared and then the error occurred. Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch selinux-policy-3.13.1-128.8.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
Description of problem: Google Chrome crashed on start Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
Description of problem: just open chrome and after that SELinux shows me security issue and it show me it cannot write to some files Version-Release number of selected component: selinux-policy-3.13.1-122.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport
We should adjust the label on oom_score_adj
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Any updates here?
according to the final comment at https://bugs.chromium.org/p/chromium/issues/detail?id=477329 "Restricting further comments. As explained in https://code.google.com/p/chromium/issues/detail?id=477329#c5 https://code.google.com/p/chromium/issues/detail?id=477329#c8 and https://code.google.com/p/chromium/issues/detail?id=477329#c11 this is working as intended." so, google says 'works as intended'. *cough* https://bugzilla.redhat.com/show_bug.cgi?id=581256 (earlier discussion of this) says it's a google-chrome issue not an selinux issue. I dunno who to believe at this point.
I would say it is a difference of opinion. From Googles perspective they are just allowing the chrome-sandbox to tell the kernel to pick it, when looking to kill processes on the system if they run out of memory. But from SELinux point of view we can not tell the difference between the chrome browser and other processes on the system. From a MAC point of view, this would say allow the chrome-sandbox to pick any other user process to kill if running out of memory. But even worse then this, it says that the chrome-sandbox could write to the /proc of every process in the user session. If we want to control the chrome-sandbox from a MAC perspective, we don't want to allow this. Bottom line both sides are in some ways correct. This is why you have a boolean and a dontaudit rule. If you don't want MAC confinement of chrome sandbox then you can disable it using # setsebool -P unconfined_chrome_sandbox_transition 0 Or you can ignore the problem with a dontaudit rule and the chrome-sandbox will not be able to say PICKME for killing in an out of memory situation.
Closing this BZ as WONTFIX, for more info see comment#35 or http://danwalsh.livejournal.com/34903.html