Summary: SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "getattr" access on /proc/. Detailed Description: [chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome-sandbox. It is not expected that this access is required by chrome-sandbox and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:system_r:udev_t:s0-s0:c0.c1023 Target Objects /proc/<pid> [ dir ] Source chrome-sandbox Source Path /usr/lib64/chromium-browser/chrome-sandbox Port <Unknown> Host (removed) Source RPM Packages chromium-4.0.252.0-0.1.20091119svn32498.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Mon 30 Nov 2009 04:11:47 PM BRST Last Seen Mon 30 Nov 2009 04:11:47 PM BRST Local ID 0bbf9250-59b2-47bd-9e4e-f4d75a0429be Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1259604707.823:957): avc: denied { getattr } for pid=10637 comm="chrome-sandbox" path="/proc/399" dev=proc ino=6267 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir node=(removed) type=SYSCALL msg=audit(1259604707.823:957): arch=c000003e syscall=4 success=yes exit=128 a0=7fff6294ec50 a1=7fff6294ebb0 a2=7fff6294ebb0 a3=1999999999999999 items=0 ppid=2300 pid=10637 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib64/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-49.fc12,catchall,chrome-sandbox,chrome_sandbox_t,udev_t,dir,getattr audit2allow suggests: #============= chrome_sandbox_t ============== allow chrome_sandbox_t udev_t:dir getattr;
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-52.fc12.noarch
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
I gotta this versions on my Fedora 12: selinux-policy-3.6.32-49.fc12.noarch selinux-policy-targeted-3.6.32-46.fc12.noarch I finished the 'yum update' and I don't get the selinux-policy-3.6.32-52.fc12, how can I apply this update on my system ? Do I have to download from the link above ? That is what I have found, following this link: http://koji.fedoraproject.org/koji/rpminfo?rpmID=1701541 What I have to do ? RPMs src selinux-policy-3.6.32-52.fc12.src.rpm (info) (download) noarch (build logs) selinux-policy-3.6.32-52.fc12.noarch.rpm (info) (download) selinux-policy-doc-3.6.32-52.fc12.noarch.rpm (info) (download) selinux-policy-minimum-3.6.32-52.fc12.noarch.rpm (info) (download) selinux-policy-mls-3.6.32-52.fc12.noarch.rpm (info) (download) selinux-policy-targeted-3.6.32-52.fc12.noarch.rpm (info) (download) Thanks.
Yes you can download it from there by clicking each download button and then use the rpm -Uhv selinux-policy*rpm to install them. Or you could wait a couple of days for the rpms to be pushed to updates-testing repositories. You should update selinux-policy-targeted to get to the -49 version anyways, yum -y upgrade selinux-policy-targeted
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
I will do the update, but please some can tell me what I have to update ? Just selinux-policy ? or to selinux-policy-targeted ? By the way the second package do what ? Thanks.
yum -y update --enablerepo=updates-testing selinux-policy-targeted selinux-policy-targeted will suck in selinux-policy
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
Thanks Daniel !!! Now I gotta selinux-policy-3.6.32-55.fc12 and selinux-policy-targeted-3.6.32-55.fc12. Chromium is doing fine ! :)
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
Please update karma
Sorry, but I don't know what is "update karma" ? Can you explain ?
If you click on http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650 And add a comment, and click on "Works for me", this will update the karma number on the test package. Once the number reaches three it gets released. ( I will be releasing it on Monday, anyways)
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.