Bug 1370098 - SELinux is preventing google-chrome-s from 'create' accesses on the file 63.
Summary: SELinux is preventing google-chrome-s from 'create' accesses on the file 63.
Keywords:
Status: CLOSED DUPLICATE of bug 1345836
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a860b9cf7ea49b9731e3a1b8248...
: 1373284 1373861 1374930 1374952 1375019 1376612 1377979 1378377 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-25 10:24 UTC by Anthony Messina
Modified: 2016-09-22 10:07 UTC (History)
41 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1345836
Environment:
Last Closed: 2016-09-08 19:17:53 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Anthony Messina 2016-08-25 10:24:55 UTC 
+++ This bug was initially created as a clone of Bug #1345836 +++

Description of problem:
latest chrome

7880:7880:0613/104503:ERROR:shared_memory_posix.cc(290)] Creating shared memory in /dev/shm/.com.google.Chrome.aGwmG9 failed: Permission denied
[7880:7880:0613/104503:ERROR:shared_memory_posix.cc(293)] Unable to access(W_OK|X_OK) /dev/shm: Permission denied
[7880:7880:0613/104503:FATAL:shared_memory_posix.cc(295)] This is frequently caused by incorrect permissions on /dev/shm.  Try 'sudo chmod 1777 /dev/shm' to fix.
Aborted (core dumped)
SELinux is preventing google-chrome-s from 'create' accesses on the file 63.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that google-chrome-s should be allowed create access on the 63 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'google-chrome-s' --raw | audit2allow -M my-googlechromes
# semodule -X 300 -i my-googlechromes.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:unconfined_t:s0
Target Objects                63 [ file ]
Source                        google-chrome-s
Source Path                   google-chrome-s
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-194.fc25.noarch selinux-
                              policy-3.13.1-195.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.7.0-0.rc2.git1.1.fc25.x86_64 #1
                              SMP Tue Jun 7 13:28:43 UTC 2016 x86_64 x86_64
Alert Count                   5
First Seen                    2016-05-26 15:42:46 BST
Last Seen                     2016-06-13 10:28:38 BST
Local ID                      451ced9a-8fe3-4a2b-9718-57c538f7c220

Raw Audit Messages
type=AVC msg=audit(1465810118.119:243): avc:  denied  { create } for  pid=7433 comm="google-chrome-s" name="63" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=0


Hash: google-chrome-s,unconfined_t,unconfined_t,file,create

Version-Release number of selected component:
selinux-policy-3.13.1-194.fc25.noarch
selinux-policy-3.13.1-195.fc25.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc2.git1.1.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

--- Additional comment from Daniel Walsh on 2016-06-13 12:00:07 EDT ---

Fixed in selinux-policy-3.13.1-196.fc25.noarch



This also affects Fedora 24 with selinux-policy-3.13.1-191.12.fc24
Comment 1 bakmenson 2016-09-03 08:08:49 UTC 
Description of problem:
1. Updated kernel from 4.6 to 4.7.2-201.fc24.x86_64
2. Reboot system
3. Started google-chrome 53.0.2785.89 (64-bit)

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 2 Terry A. Hurlbut 2016-09-03 13:36:49 UTC 
Description of problem:
This problem occurred after I:
(a) Upgraded to the now-current version of the kernel (4.7.2-201.fc24.x86_64),
(b) Shut down and restarted the machine, and finally
(c) Started Google Chrome.


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 3 SteveCr48 2016-09-03 13:57:47 UTC 
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1345836 

This bug was "fixed in selinux-policy-3.13.1-196.fc25.noarch" Hopefully, it will be backported into Fedora 24.
Comment 4 bakmenson 2016-09-03 14:25:36 UTC 
(In reply to SteveCr48 from comment #3)
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1345836 
> 
> This bug was "fixed in selinux-policy-3.13.1-196.fc25.noarch" Hopefully, it
> will be backported into Fedora 24.

Thank you.
Comment 5 Debabrata Deb 2016-09-04 09:08:43 UTC 
Description of problem:
Was trying to start Google Chrome (google-chrome-stable-53.0.2785.92-1.x86_64) from the 'Applications' menu.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 6 Edward 2016-09-04 15:36:52 UTC 
Description of problem:
Launched google-chrome-stable, prompts for password to unlock keyring.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 7 Wolfgang Rupprecht 2016-09-04 19:56:51 UTC 
Description of problem:
Starting up google-chrome-stable appears to have caused this.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 8 Karl Kowallis 2016-09-05 04:10:55 UTC 
Description of problem:
Initial startup of computrer; After Logging in, start Chrome and receive SELinux alert about denied access.

I can't tell if the denial causes any problems. I haven't noticed any.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 9 Edward 2016-09-05 14:11:00 UTC 
Could this possibly be related to the 4.7.2 kernel? 

I just booted up using the previously-installed kernel (4.6.7, I believe), launched Chrome and it started fine. The box about the keyring not unlocking, did not appear.
Comment 10 kj4ohh 2016-09-05 18:07:50 UTC 
Description of problem:
SELinux Violation everytime I start Chrome now.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 11 Rafael Rodrigues 2016-09-05 18:09:23 UTC 
*** Bug 1373284 has been marked as a duplicate of this bug. ***
Comment 12 Leonardo Avellar 2016-09-06 04:56:51 UTC 
Description of problem:
Latest update (Google Chrome 53.0.2785.92) after installing and rebooting made this warning appear. Don't know the possible causes nor the consequences of this warning


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 13 Daniel Walsh 2016-09-06 12:44:16 UTC 
There is a new check in the latest kernel which is causing this issue.  Basically the "create" check is happening even if the file already exists.  This is causing the SELinux issue, since creating files in /proc is not allowed, we don't allow it in policy.  Nothing is actually blocked by this AVC since the file does not actually need to be created.  We have added a dontaudit rule for this in Rawhide, and we need to back port this to older versions of Fedora.
Comment 14 Fredao 2016-09-06 17:15:46 UTC 
Description of problem:
Launching Google, this error message appeared.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 15 Nikita Bige 2016-09-07 10:04:58 UTC 
*** Bug 1373861 has been marked as a duplicate of this bug. ***
Comment 16 Wayne Roberts 2016-09-07 12:30:41 UTC 
Description of problem:
Installed latest google chrome and received a selinux warning

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 17 Steven Reid 2016-09-07 16:22:16 UTC 
Description of problem:
When I open up Chrome I am asked to enter passwords. It will not allow me to enter passwords, the black box where the passwords are entered just hang

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 18 David Parra 2016-09-07 20:33:25 UTC 
Description of problem:
Just started and launch Google Chrome

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 19 madbuffalo 2016-09-08 02:07:27 UTC 
Description of problem:
Open Chrome 53.0.2785.92 (64-bit)

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 20 Lee Lian Hoy 2016-09-08 02:16:30 UTC 
Description of problem:
Start Chrome
Happened after updating to Version 53.0.2785.92 (64-bit)

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 21 Daniel Walsh 2016-09-08 19:17:53 UTC 

*** This bug has been marked as a duplicate of bug 1345836 ***
Comment 22 Ashesh Singh 2016-09-10 15:24:33 UTC 
*** Bug 1374930 has been marked as a duplicate of this bug. ***
Comment 23 padrebrunoalmeida@gmail.com 2016-09-10 21:55:43 UTC 
*** Bug 1374952 has been marked as a duplicate of this bug. ***
Comment 24 anickajur373 2016-09-11 19:56:40 UTC 
*** Bug 1375019 has been marked as a duplicate of this bug. ***
Comment 25 Alessandro Machado 2016-09-15 22:51:56 UTC 
*** Bug 1376612 has been marked as a duplicate of this bug. ***
Comment 26 Carmine Fabrizio 2016-09-21 08:33:50 UTC 
*** Bug 1377979 has been marked as a duplicate of this bug. ***
Comment 27 Sohail Germanwala 2016-09-22 10:07:12 UTC 
*** Bug 1378377 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.