Summary: SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "getattr" access on /proc/. Detailed Description: [chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome-sandbox. It is not expected that this access is required by chrome-sandbox and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Objects /proc/<pid> [ dir ] Source chrome-sandbox Source Path /usr/lib/chromium-browser/chrome-sandbox Port <Unknown> Host (removed) Source RPM Packages chromium-4.0.252.0-0.1.20091119svn32498.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 Alert Count 1 First Seen Fri 20 Nov 2009 05:37:53 PM CST Last Seen Fri 20 Nov 2009 05:37:53 PM CST Local ID 3610ba8c-adbd-4d59-88a9-575350bc57d7 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1258760273.706:23454): avc: denied { getattr } for pid=2433 comm="chrome-sandbox" path="/proc/1384" dev=proc ino=10666 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dir node=(removed) type=SYSCALL msg=audit(1258760273.706:23454): arch=40000003 syscall=195 success=yes exit=0 a0=bf8a6dbc a1=bf8a6d54 a2=716ff4 a3=bf8a8ae1 items=0 ppid=2213 pid=2433 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,catchall,chrome-sandbox,chrome_sandbox_t,system_dbusd_t,dir,getattr audit2allow suggests: #============= chrome_sandbox_t ============== allow chrome_sandbox_t system_dbusd_t:dir getattr;
*** Bug 539770 has been marked as a duplicate of this bug. ***
*** Bug 539839 has been marked as a duplicate of this bug. ***
*** Bug 539879 has been marked as a duplicate of this bug. ***
*** Bug 539884 has been marked as a duplicate of this bug. ***
*** Bug 540015 has been marked as a duplicate of this bug. ***
*** Bug 540040 has been marked as a duplicate of this bug. ***
*** Bug 540138 has been marked as a duplicate of this bug. ***
*** Bug 540253 has been marked as a duplicate of this bug. ***
*** Bug 540260 has been marked as a duplicate of this bug. ***
*** Bug 540261 has been marked as a duplicate of this bug. ***
*** Bug 540262 has been marked as a duplicate of this bug. ***
*** Bug 540264 has been marked as a duplicate of this bug. ***
*** Bug 540272 has been marked as a duplicate of this bug. ***
*** Bug 540275 has been marked as a duplicate of this bug. ***
*** Bug 540303 has been marked as a duplicate of this bug. ***
*** Bug 540305 has been marked as a duplicate of this bug. ***
*** Bug 540306 has been marked as a duplicate of this bug. ***
*** Bug 540342 has been marked as a duplicate of this bug. ***
*** Bug 540359 has been marked as a duplicate of this bug. ***
Will dontaudit searching all processes since this is not something a sandbox should be doing. Fixed in selinux-policy-3.6.32-48.fc12.noarch
(In reply to comment #20) > Will dontaudit searching all processes since this is not something a sandbox > should be doing. Do you want someone to take a peak at what the code poking under /proc is attempting to do and maybe open a chromium bug upstream?
Yes.
(In reply to comment #22) > Yes. Background question: how does chromium transition from unconfined_execmem_t to chromium_sandbox_t? By looking for "/usr/lib64/chromium-browser/chromium-browser --channel=2949.3de9690.43869888 --type=renderer" like command line on exec?
We have a transtion rule defined for unconfined_t and unconfined_execmem_t executing chrome_sandbox_exec_t to transition to chrome_sandbox_t
I've updated to selinux-policy-3.6.32-48.fc12.noarch and the problem still there: node=(removed) type=AVC msg=audit(1259012969.181:21716): avc: denied { getattr } for pid=3436 comm="chrome-sandbox" path="/proc/1214" dev=proc ino=11337 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=dir node=(removed) type=SYSCALL msg=audit(1259012969.181:21716): arch=40000003 syscall=195 success=yes exit=0 a0=bfae1e1c a1=bfae1db4 a2=549ff4 a3=bfae3a86 items=0 ppid=3348 pid=3436 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131
The same problem for me with 4.0.253.0 (0) and selinux-policy-3.6.32-49.fc12: node=(removed) type=AVC msg=audit(1259180293.333:21543): avc: denied { getattr } for pid=4172 comm="chrome-sandbox" path="/proc/1224" dev=proc ino=33909 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpcd_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1259180293.333:21543): arch=40000003 syscall=195 success=yes exit=0 a0=bffd93ec a1=bffd9384 a2=385ff4 a3=bffd9a54 items=0 ppid=4167 pid=4172 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
Fixed in selinux-policy-3.6.32-51.fc12.noarch
I think chromium is looking at its own processes in /proc to get memory and CPU use statistics. It may well be using /proc/<pid>/smaps to determine the level of page sharing. In F12 these displays in "Task Viewer" (Shift-Esc) are all zero.
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 here and the problem isn't fixed.
rpm -q selinux-policy-targeted Also give me the output of ausearch -m avc -ts recent
Created attachment 375188 [details] output of ausearch rpm -q selinux-policy-targeted selinux-policy-targeted-3.6.32-46.fc12.noarch I've attached the output of ausearch -m avc -ts recent.
That is the wrong version. yum update selinux-policy-targeted
su -c "yum update selinux-policy-targeted" Password: Loaded plugins: presto, refresh-packagekit Setting up Update Process No Packages marked for Update yum says there's no new package for update. Should I try testing repository or may be there's something broken in my system?
I've downgraded seelinux-policy to 3.6.32-49.fc12 (because seelinux-policy-targeted requires just that version), and I've updated seelinux-policy-targeted. But I don't understand two things: 1. your fix is in selinux-policy, but the problem it's in selinux-policy-targeted 2. selinux-policy-targeted dependes on selinux-policy, but you can upgrade selinux-policy without upgrade selinux-policy-targeted (?) Now I'm using: selinux-policy-3.6.32-49.fc12.noarch selinux-policy-targeted-3.6.32-49.fc12.noarch The problem seems it's gone, although I got following AVC denial: $ sudo ausearch -m avc -ts recent ---- time->Tue Dec 1 22:15:18 2009 type=SYSCALL msg=audit(1259702118.981:20799): arch=40000003 syscall=85 success=yes exit=14 a0=bfa3b3cc a1=bfa3b2cc a2=ff a3=8049b52 items=0 ppid=3952 pid=3957 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1259702118.981:20799): avc: denied { sys_ptrace } for pid=3957 comm="chrome-sandbox" capability=19 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capability So, this is "SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "sys_ptrace" access.", a different problem! Excuse me if I'm confused, I'm a newbie. Thank you!
OK, not I get Bug 540530.
Yes you need to upgrade both packages. selinux-policy-targeted actually contains the rules. sys_ptrace is dontaudited in selinux-policy*3.6.32-52.fc12.noarch If you install this version make sure you install both packages.
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.