Bug 539754 - SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "getattr" access on /proc/<pid>.
Summary: SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "getattr" acce...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:f673064551d...
: 539770 539839 539879 539884 540015 540040 540138 540253 540260 540261 540262 540264 540272 540275 540303 540305 540306 540342 540359 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-20 23:50 UTC by Zach
Modified: 2010-08-20 01:45 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.6.32-120.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-07 22:46:34 UTC


Attachments (Terms of Use)
output of ausearch (26.97 KB, text/plain)
2009-12-01 20:54 UTC, Juan J. Martínez
no flags Details

Description Zach 2009-11-20 23:50:14 UTC
Summary:

SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "getattr" access
on /proc/.

Detailed Description:

[chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not
denied.]

SELinux denied access requested by chrome-sandbox. It is not expected that this
access is required by chrome-sandbox and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Objects                /proc/<pid> [ dir ]
Source                        chrome-sandbox
Source Path                   /usr/lib/chromium-browser/chrome-sandbox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           chromium-4.0.252.0-0.1.20091119svn32498.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP
                              Sat Nov 7 21:41:45 EST 2009 i686 i686
Alert Count                   1
First Seen                    Fri 20 Nov 2009 05:37:53 PM CST
Last Seen                     Fri 20 Nov 2009 05:37:53 PM CST
Local ID                      3610ba8c-adbd-4d59-88a9-575350bc57d7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258760273.706:23454): avc:  denied  { getattr } for  pid=2433 comm="chrome-sandbox" path="/proc/1384" dev=proc ino=10666 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dir

node=(removed) type=SYSCALL msg=audit(1258760273.706:23454): arch=40000003 syscall=195 success=yes exit=0 a0=bf8a6dbc a1=bf8a6d54 a2=716ff4 a3=bf8a8ae1 items=0 ppid=2213 pid=2433 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,chrome-sandbox,chrome_sandbox_t,system_dbusd_t,dir,getattr
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t system_dbusd_t:dir getattr;

Comment 1 Miroslav Grepl 2009-11-23 08:13:38 UTC
*** Bug 539770 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2009-11-23 08:16:02 UTC
*** Bug 539839 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2009-11-23 08:16:40 UTC
*** Bug 539879 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2009-11-23 08:17:46 UTC
*** Bug 539884 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2009-11-23 08:19:05 UTC
*** Bug 540015 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2009-11-23 08:19:40 UTC
*** Bug 540040 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2009-11-23 08:21:03 UTC
*** Bug 540138 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2009-11-23 08:28:05 UTC
*** Bug 540253 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2009-11-23 08:29:07 UTC
*** Bug 540260 has been marked as a duplicate of this bug. ***

Comment 10 Miroslav Grepl 2009-11-23 08:31:28 UTC
*** Bug 540261 has been marked as a duplicate of this bug. ***

Comment 11 Miroslav Grepl 2009-11-23 08:32:07 UTC
*** Bug 540262 has been marked as a duplicate of this bug. ***

Comment 12 Miroslav Grepl 2009-11-23 08:32:33 UTC
*** Bug 540264 has been marked as a duplicate of this bug. ***

Comment 13 Miroslav Grepl 2009-11-23 08:33:02 UTC
*** Bug 540272 has been marked as a duplicate of this bug. ***

Comment 14 Miroslav Grepl 2009-11-23 08:33:36 UTC
*** Bug 540275 has been marked as a duplicate of this bug. ***

Comment 15 Miroslav Grepl 2009-11-23 08:34:22 UTC
*** Bug 540303 has been marked as a duplicate of this bug. ***

Comment 16 Miroslav Grepl 2009-11-23 08:34:46 UTC
*** Bug 540305 has been marked as a duplicate of this bug. ***

Comment 17 Miroslav Grepl 2009-11-23 08:35:12 UTC
*** Bug 540306 has been marked as a duplicate of this bug. ***

Comment 18 Miroslav Grepl 2009-11-23 08:35:41 UTC
*** Bug 540342 has been marked as a duplicate of this bug. ***

Comment 19 Miroslav Grepl 2009-11-23 08:36:08 UTC
*** Bug 540359 has been marked as a duplicate of this bug. ***

Comment 20 Daniel Walsh 2009-11-23 16:47:48 UTC
Will dontaudit searching all processes since this is not something a sandbox should be doing.

Fixed in selinux-policy-3.6.32-48.fc12.noarch

Comment 21 Scott Tsai 2009-11-23 17:03:57 UTC
(In reply to comment #20)
> Will dontaudit searching all processes since this is not something a sandbox
> should be doing.

Do you want someone to take a peak at what the code poking under /proc is attempting to do and maybe open a chromium bug upstream?

Comment 22 Daniel Walsh 2009-11-23 17:14:41 UTC
Yes.

Comment 23 Scott Tsai 2009-11-23 18:00:27 UTC
(In reply to comment #22)
> Yes.  

Background question: how does chromium transition from unconfined_execmem_t to chromium_sandbox_t? By looking for "/usr/lib64/chromium-browser/chromium-browser --channel=2949.3de9690.43869888 --type=renderer" like command line on exec?

Comment 24 Daniel Walsh 2009-11-23 18:58:16 UTC
We have a transtion rule defined for unconfined_t and unconfined_execmem_t executing chrome_sandbox_exec_t to transition to chrome_sandbox_t

Comment 25 Juan J. Martínez 2009-11-23 21:52:03 UTC
I've updated to selinux-policy-3.6.32-48.fc12.noarch and the problem still there:

node=(removed) type=AVC msg=audit(1259012969.181:21716): avc: denied { getattr } for pid=3436 comm="chrome-sandbox" path="/proc/1214" dev=proc ino=11337 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=dir 

node=(removed) type=SYSCALL msg=audit(1259012969.181:21716): arch=40000003 syscall=195 success=yes exit=0 a0=bfae1e1c a1=bfae1db4 a2=549ff4 a3=bfae3a86 items=0 ppid=3348 pid=3436 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Comment 26 Fedora Update System 2009-11-23 23:38:41 UTC
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12

Comment 27 Fedora Update System 2009-11-25 15:21:53 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131

Comment 28 Juan J. Martínez 2009-11-25 20:19:49 UTC
The same problem for me with 4.0.253.0 (0) and selinux-policy-3.6.32-49.fc12:

node=(removed) type=AVC msg=audit(1259180293.333:21543): avc: denied { getattr } for pid=4172 comm="chrome-sandbox" path="/proc/1224" dev=proc ino=33909 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpcd_t:s0 tclass=dir 

node=(removed) type=SYSCALL msg=audit(1259180293.333:21543): arch=40000003 syscall=195 success=yes exit=0 a0=bffd93ec a1=bffd9384 a2=385ff4 a3=bffd9a54 items=0 ppid=4167 pid=4172 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Comment 29 Daniel Walsh 2009-11-25 20:29:45 UTC
Fixed in selinux-policy-3.6.32-51.fc12.noarch

Comment 30 Jeremy Fitzhardinge 2009-11-28 08:07:29 UTC
I think chromium is looking at its own processes in /proc to get memory and CPU use statistics.  It may well be using /proc/<pid>/smaps to determine the level of page sharing.

In F12 these displays in "Task Viewer" (Shift-Esc) are all zero.

Comment 31 Fedora Update System 2009-12-01 16:51:05 UTC
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12

Comment 32 Juan J. Martínez 2009-12-01 20:12:49 UTC
selinux-policy-3.6.32-52.fc12 here and the problem isn't fixed.

Comment 33 Daniel Walsh 2009-12-01 20:36:09 UTC
rpm -q selinux-policy-targeted

Also give me the output of


ausearch -m avc -ts recent

Comment 34 Juan J. Martínez 2009-12-01 20:54:21 UTC
Created attachment 375188 [details]
output of ausearch

rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.32-46.fc12.noarch

I've attached the output of ausearch -m avc -ts recent.

Comment 35 Daniel Walsh 2009-12-01 21:00:08 UTC
That is the wrong version.

yum update selinux-policy-targeted

Comment 36 Juan J. Martínez 2009-12-01 21:07:13 UTC
su -c "yum update selinux-policy-targeted"
Password: 
Loaded plugins: presto, refresh-packagekit
Setting up Update Process
No Packages marked for Update

yum says there's no new package for update. Should I try testing repository or may be there's something broken in my system?

Comment 37 Juan J. Martínez 2009-12-01 21:19:39 UTC
I've downgraded seelinux-policy to 3.6.32-49.fc12 (because seelinux-policy-targeted requires just that version), and I've updated seelinux-policy-targeted.

But I don't understand two things:

 1. your fix is in selinux-policy, but the problem it's in selinux-policy-targeted
 2. selinux-policy-targeted dependes on selinux-policy, but you can upgrade  selinux-policy without upgrade selinux-policy-targeted (?)

Now I'm using:

selinux-policy-3.6.32-49.fc12.noarch
selinux-policy-targeted-3.6.32-49.fc12.noarch

The problem seems it's gone, although I got following AVC denial:

$ sudo ausearch -m avc -ts recent
----
time->Tue Dec  1 22:15:18 2009
type=SYSCALL msg=audit(1259702118.981:20799): arch=40000003 syscall=85 success=yes exit=14 a0=bfa3b3cc a1=bfa3b2cc a2=ff a3=8049b52 items=0 ppid=3952 pid=3957 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1259702118.981:20799): avc:  denied  { sys_ptrace } for  pid=3957 comm="chrome-sandbox" capability=19 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capability

So, this is "SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "sys_ptrace" access.", a different problem!

Excuse me if I'm confused, I'm a newbie. Thank you!

Comment 38 Juan J. Martínez 2009-12-01 21:29:59 UTC
OK, not I get Bug 540530.

Comment 39 Daniel Walsh 2009-12-01 21:47:38 UTC
Yes you need to upgrade both packages.

selinux-policy-targeted actually contains the rules.

sys_ptrace is dontaudited in selinux-policy*3.6.32-52.fc12.noarch

If you install this version make sure you install both packages.

Comment 40 Fedora Update System 2009-12-02 04:33:10 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 41 Fedora Update System 2009-12-03 20:29:16 UTC
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12

Comment 42 Fedora Update System 2009-12-04 23:47:36 UTC
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650

Comment 43 Fedora Update System 2009-12-08 07:54:15 UTC
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 44 Fedora Update System 2010-08-05 13:19:51 UTC
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12

Comment 45 Fedora Update System 2010-08-20 01:40:12 UTC
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.