2196008 – regression | flooding avc: denied { setcap } | chromium-113.0.5672.63-1.el8

Bug 2196008 - regression | flooding avc: denied { setcap } | chromium-113.0.5672.63-1.el8

Summary: regression | flooding avc: denied { setcap } | chromium-113.0.5672.63-1.el8

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	chromium
Sub Component:
Version:	epel8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Than Ngo
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-07 13:15 UTC by Leon Fauster
Modified:	2023-05-29 01:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:	chromium-113.0.5672.126-1.fc37 chromium-113.0.5672.126-1.fc38 chromium-113.0.5672.126-1.el9 chromium-113.0.5672.126-1.el7 chromium-113.0.5672.126-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-22 00:38:19 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Leon Fauster 2023-05-07 13:15:11 UTC

Description of problem:

Updating chromium from 112.0.5615.165-1.el8 to 113.0.5672.63-1.el8 results in a avc selinux deny flooding 

113.0.5672.63-1.el8 is in epel-testing right now


Version-Release number of selected component (if applicable):

# rpm -q chromium
chromium-113.0.5672.63-1.el8.x86_64

Actual results:

# ausearch -m avc  --start recent|grep time|wc -l
3410


# ausearch -m avc  --start recent|tail 
----
time->Sun May  7 15:05:24 2023
type=PROCTITLE msg=audit(1683464724.508:7302): proctitle=2F7573722F6C696236342F6368726F6D69756D2D62726F777365722F6368726F6D69756D2D62726F77736572202D2D747970653D7A79676F7465202D2D63726173687061642D68616E646C65722D7069643D3638383238202D2D656E61626C652D63726173682D7265706F727465723D2C4665646F72612050726F6A65637420
type=SYSCALL msg=audit(1683464724.508:7302): arch=c000003e syscall=126 success=no exit=-13 a0=7ffd7da22980 a1=7ffd7da22960 a2=7f884b3818b8 a3=0 items=0 ppid=68845 pid=72522 auid=1200 uid=1200 gid=1200 euid=1200 suid=1200 fsuid=1200 egid=1200 sgid=1200 fsgid=1200 tty=(none) ses=34 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1683464724.508:7302): avc:  denied  { setcap } for  pid=72522 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Sun May  7 15:05:24 2023
type=PROCTITLE msg=audit(1683464724.510:7304): proctitle=2F7573722F6C696236342F6368726F6D69756D2D62726F777365722F6368726F6D69756D2D62726F77736572202D2D747970653D7A79676F7465202D2D63726173687061642D68616E646C65722D7069643D3638383238202D2D656E61626C652D63726173682D7265706F727465723D2C4665646F72612050726F6A65637420
type=SYSCALL msg=audit(1683464724.510:7304): arch=c000003e syscall=126 success=no exit=-13 a0=7ffd7da22980 a1=7ffd7da22960 a2=7f884b3818b8 a3=0 items=0 ppid=68845 pid=72523 auid=1200 uid=1200 gid=1200 euid=1200 suid=1200 fsuid=1200 egid=1200 sgid=1200 fsgid=1200 tty=(none) ses=34 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1683464724.510:7304): avc:  denied  { setcap } for  pid=72523 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process permissive=0





Expected results:
No AVC allerts

Comment 1 Than Ngo 2023-05-08 08:40:01 UTC

it looks like selinux policy issue.

Please try following command as workarounds: setsebool -P unconfined_chrome_sandbox_transition 0

Comment 2 Zdenek Pytela 2023-05-09 08:44:16 UTC

The denial interpreted:

----
type=PROCTITLE msg=audit(05/07/2023 09:05:24.510:7304) : proctitle=/usr/lib64/chromium-browser/chromium-browser --type=zygote --crashpad-handler-pid=68828 --enable-crash-reporter=,Fedora Project
type=AVC msg=audit(05/07/2023 09:05:24.510:7304) : avc:  denied  { setcap } for  pid=72523 comm=chromium-browse scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(05/07/2023 09:05:24.510:7304) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x7ffd7da22980 a1=0x7ffd7da22960 a2=0x7f884b3818b8 a3=0x0 items=0 ppid=68845 pid=72523 auid=unknown(1200) uid=unknown(1200) gid=unknown(1200) euid=unknown(1200) suid=unknown(1200) fsuid=unknown(1200) egid=unknown(1200) sgid=unknown(1200) fsgid=unknown(1200) tty=(none) ses=34 comm=chromium-browse exe=/usr/lib64/chromium-browser/chromium-browser subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

show capset(2) is being called. Is this a new feature?
Would the following local module help?

# cat local_chromesandbox_capset.cil
(allow chrome_sandbox_t chrome_sandbox_t (process (setcap)))
# semodule -i local_chromesandbox_capset.cil

<reproduce>

Comment 3 Than Ngo 2023-05-09 09:17:04 UTC

Hi Zdenek,

yes, the capset system call is used in Chromium Sandbox. I have tried your local_chromesandbox_capset.cil and confirmed that the problem is fixed, Chromium works fine after that.

Can we have it in selinux-policy?

Thanks!

Comment 4 Zdenek Pytela 2023-05-10 13:24:13 UTC

I've submitted a Fedora PR to address the issue in F38 and newer:
https://github.com/fedora-selinux/selinux-policy/pull/1679

Comment 5 Fedora Update System 2023-05-20 06:13:51 UTC

FEDORA-EPEL-2023-1388277bf4 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1388277bf4

Comment 6 Fedora Update System 2023-05-20 06:13:52 UTC

FEDORA-EPEL-2023-2694488870 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-2694488870

Comment 7 Fedora Update System 2023-05-20 06:13:53 UTC

FEDORA-2023-5c477a04ca has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5c477a04ca

Comment 8 Fedora Update System 2023-05-20 06:13:54 UTC

FEDORA-EPEL-2023-6fba4b91e0 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-6fba4b91e0

Comment 9 Fedora Update System 2023-05-20 06:13:55 UTC

FEDORA-2023-69264c19f9 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-69264c19f9

Comment 10 Fedora Update System 2023-05-21 00:23:17 UTC

FEDORA-EPEL-2023-1388277bf4 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1388277bf4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-05-21 00:23:26 UTC

FEDORA-EPEL-2023-2694488870 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-2694488870

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2023-05-21 00:23:39 UTC

FEDORA-EPEL-2023-6fba4b91e0 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-6fba4b91e0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2023-05-21 03:35:24 UTC

FEDORA-2023-69264c19f9 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-69264c19f9`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-69264c19f9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2023-05-21 03:49:41 UTC

FEDORA-2023-5c477a04ca has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-5c477a04ca`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5c477a04ca

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 15 Fedora Update System 2023-05-22 00:38:19 UTC

FEDORA-2023-69264c19f9 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Fedora Update System 2023-05-22 01:38:35 UTC

FEDORA-2023-5c477a04ca has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Fedora Update System 2023-05-29 00:46:46 UTC

FEDORA-EPEL-2023-6fba4b91e0 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 18 Fedora Update System 2023-05-29 00:47:21 UTC

FEDORA-EPEL-2023-1388277bf4 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 19 Fedora Update System 2023-05-29 01:14:02 UTC

FEDORA-EPEL-2023-2694488870 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.