Bug 538310 - SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "read" access on chromium.
Summary: SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "read" acc...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:428672b40a5...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-11-18 08:55 UTC by Tore Anderson
Modified: 2009-12-02 04:36 UTC (History)
2 users (show)

Fixed In Version: 3.6.32-49.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-12-01 16:40:17 UTC

Attachments (Terms of Use)

Description Tore Anderson 2009-11-18 08:55:06 UTC

SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "read" access
on chromium.

Detailed Description:

[chromium-browse has a permissive type (chrome_sandbox_t). This access was not

SELinux denied access requested by chromium-browse. It is not expected that this
access is required by chromium-browse and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
Target Context                system_u:object_r:nfs_t:s0
Target Objects                chromium [ lnk_file ]
Source                        chromium-browse
Source Path                   /usr/lib64/chromium-browser/chromium-browser
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           chromium-
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) #1
                              SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    on. 18. nov. 2009 kl. 09.53 +0000
Last Seen                     on. 18. nov. 2009 kl. 09.53 +0000
Local ID                      b8868d7b-8b75-4c72-9abd-0e7fab083f05
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258534411.183:31913): avc:  denied  { read } for  pid=2424 comm="chromium-browse" name="chromium" dev=0:16 ino=364727 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file

node=(removed) type=SYSCALL msg=audit(1258534411.183:31913): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=3b4a8b8 a1=7fff99e7fe30 a2=7fff99e7fe30 a3=7fff99e7fbc0 items=0 ppid=0 pid=2424 auid=1011 uid=1011 gid=1011 euid=1011 suid=1011 fsuid=1011 egid=1011 sgid=1011 fsgid=1011 tty=(none) ses=2 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,chromium-browse,chrome_sandbox_t,nfs_t,lnk_file,read
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t nfs_t:lnk_file read;

Comment 1 Daniel Walsh 2009-11-18 12:50:46 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-47.fc12.noarch

Comment 2 Fedora Update System 2009-11-23 23:35:29 UTC
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.

Comment 3 Fedora Update System 2009-11-25 15:18:23 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131

Comment 4 Fedora Update System 2009-12-02 04:30:05 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.