Sumário: SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack" access. Descrição detalhada: [chromium-browse tem um tipo permissivo (chrome_sandbox_t). Esse acesso não foi negado.] SELinux denied access requested by chromium-browse. It is not expected that this access is required by chromium-browse and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Permitindo acesso: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Informações adicionais: Contexto de origem unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Contexto de destino unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Objetos de destino None [ process ] Origem chromium-browse Caminho da origem /usr/lib64/chromium-browser/chromium-browser Porta <Desconhecido> Máquina (removed) Pacotes RPM de origem chromium-4.0.273.0-0.1.20091216svn34775.fc12 Pacotes RPM de destino RPM da política selinux-policy-3.6.32-56.fc12 Selinux habilitado True Tipo de política targeted Modo reforçado Enforcing Nome do plugin catchall Nome da máquina (removed) Plataforma Linux (removed) 2.6.31.6-166.fc12.x86_64 #1 SMP Wed Dec 9 10:46:22 EST 2009 x86_64 x86_64 Contador de alertas 3 Visto pela primeira vez em Ter 22 Dez 2009 08:33:49 BRT Visto pela última vez em Ter 22 Dez 2009 09:55:24 BRT ID local 599a56f2-956e-4100-92a9-872dafd2d1a3 Números de linha Mensagens de auditoria não p node=(removed) type=AVC msg=audit(1261486524.593:24882): avc: denied { execstack } for pid=2628 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process node=(removed) type=SYSCALL msg=audit(1261486524.593:24882): arch=c000003e syscall=10 success=yes exit=0 a0=7fff8ef2b000 a1=1000 a2=1000007 a3=3975619aeb items=0 ppid=0 pid=2628 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-56.fc12,catchall,chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,execstack audit2allow suggests: #============= chrome_sandbox_t ============== allow chrome_sandbox_t self:process execstack;
When I updated Chromium SELinux prevented it from loading the /usr/lib64/chromium-browser/libsandbox.so due to 'text relocation'. Reading the Bugzilla report I found this line to bypass this small bug and allow Chromium to run even the problem persisted: chcon -t textrel_shlib_t '/usr/lib64/chromium-browser/libsandbox.so' When I entered this command, Chromium could load but then this new SELinux prevention started to show.
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-62.fc12.noarch
selinux-policy-3.6.32-63.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-63.fc12
selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184
selinux-policy-3.6.32-63.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.