Description of problem: SELinux is preventing /opt/google/chrome-unstable/chrome from 'watch' accesses on the directory /proc/<pid>. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that chrome should be allowed watch access on the <pid> directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg # semodule -X 300 -i my-ThreadPoolForeg.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /proc/<pid> [ dir ] Source ThreadPoolForeg Source Path /opt/google/chrome-unstable/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-unstable-91.0.4469.4-1.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.8-7.fc35.noarch Local Policy RPM selinux-policy-targeted-3.14.8-7.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.12.0-0.rc6.20210408git454859c552 da.186.fc35.x86_64 #1 SMP Thu Apr 8 12:32:09 UTC 2021 x86_64 x86_64 Alert Count 3 First Seen 2021-04-08 04:12:21 +05 Last Seen 2021-04-11 01:32:21 +05 Local ID d6a63963-5da1-44af-b524-fad7a8caf168 Raw Audit Messages type=AVC msg=audit(1618086741.13:454): avc: denied { watch } for pid=10388 comm="ThreadPoolForeg" path="/proc/10388" dev="proc" ino=152261 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=SYSCALL msg=audit(1618086741.13:454): arch=x86_64 syscall=inotify_add_watch success=yes exit=ENOMEM a0=18 a1=363c1e230d20 a2=10003cc a3=7ffd8cf4e080 items=1 ppid=10340 pid=10388 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=3 comm=ThreadPoolForeg exe=/opt/google/chrome-unstable/chrome subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1618086741.13:454): cwd=/home/mikhail type=PATH msg=audit(1618086741.13:454): item=0 name=/etc/../proc/self inode=152261 dev=00:16 mode=040555 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: ThreadPoolForeg,unconfined_t,unconfined_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-3.14.8-7.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.12.0-0.rc6.20210408git454859c552da.186.fc35.x86_64 type: libreport
Mikhail, Do you have some custom chrome plugins? Did this issue start to appear with some update? Do you see any functionality problem in chrome?
Regardless of that, I think it makes sense to allow this. Basically to add watch_dir_perms to this line in domain.te: allow domain self:dir list_dir_perms; And probably also here: allow unconfined_domain_type domain:dir list_dir_perms;
Ondrej, Thank you, I was thinking in a similar way. Mikhail, I am still interested in the answers, as well as in possibly related bz#1936076 and bz#1936077 to get the picture. I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/692
FEDORA-2021-8d26207af7 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-8d26207af7
FEDORA-2021-8d26207af7 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-8d26207af7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-8d26207af7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-8d26207af7 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days