Description of problem: start Google Chrome beta SELinux is preventing google-chrome-b from 'create' accesses on the file 63. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that google-chrome-b should be allowed create access on the 63 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'google-chrome-b' --raw | audit2allow -M my-googlechromeb # semodule -X 300 -i my-googlechromeb.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:unconfined_t:s0 Target Objects 63 [ file ] Source google-chrome-b Source Path google-chrome-b Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-185.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.0-0.rc0.git5.2.fc25.x86_64 #1 SMP Sat May 21 06:07:29 UTC 2016 x86_64 x86_64 Alert Count 15 First Seen 2016-05-22 04:05:05 BST Last Seen 2016-05-25 00:08:01 BST Local ID c97b150a-b97a-4e0d-8e6b-3994a835f523 Raw Audit Messages type=AVC msg=audit(1464131281.895:415): avc: denied { create } for pid=5116 comm="google-chrome-b" name="63" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=0 Hash: google-chrome-b,unconfined_t,unconfined_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-185.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.7.0-0.rc0.git5.2.fc25.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
This is happening to me on each start since Monday (when I first got 4.7.x kernel): SELinux is preventing google-chrome-b from create access on the file 63. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es google-chrome-b standardmäßig erlaubt sein sollte, create Zugriff auf 63 file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'google-chrome-b' --raw | audit2allow -M my-googlechromeb # semodule -X 300 -i my-googlechromeb.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:unconfined_t:s0 Target Objects 63 [ file ] Source google-chrome-b Source Path google-chrome-b Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.2-201.fc24.x86_64 #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 x86_64 Alert Count 23 First Seen 2016-09-06 08:15:34 CEST Last Seen 2016-09-07 08:18:44 CEST Local ID 3e0746fb-6d48-446e-a444-e1596b4b8d32 Raw Audit Messages type=AVC msg=audit(1473229124.541:278): avc: denied { create } for pid=24550 comm="google-chrome-b" name="63" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=0 Hash: google-chrome-b,unconfined_t,unconfined_t,file,create
Is this a low priority as it impacts all users of chrome as it does not leave the browser in the same state it was left on following a reboot.
This AVC is not causing an issue. The call ends up succeeding. THe browser not being in the same state is unrelated to this AVC. We should be adding a dontaudit rules. Processes are not able to "create" files in /proc, which is what this AVC is reporting. A change as made to the kernel to report these AVC's when a process tries to open(CREATE) a file that already exists. This AVC is generated but the actual open command succeeds.
*** This bug has been marked as a duplicate of bug 1345836 ***