Bug 549708 - SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack" access.
Summary: SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:1f7b6baa128...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-22 12:58 UTC by Cristóvão Rufino
Modified: 2010-01-08 20:10 UTC (History)
5 users (show)

Fixed In Version: 3.6.32-66.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-05 23:00:37 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Cristóvão Rufino 2009-12-22 12:58:23 UTC 
Sumário:

SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack"
access.

Descrição detalhada:

[chromium-browse tem um tipo permissivo (chrome_sandbox_t). Esse acesso não foi
negado.]

SELinux denied access requested by chromium-browse. It is not expected that this
access is required by chromium-browse and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Permitindo acesso:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informações adicionais:

Contexto de origem            unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Contexto de destino           unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Objetos de destino            None [ process ]
Origem                        chromium-browse
Caminho da origem             /usr/lib64/chromium-browser/chromium-browser
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         chromium-4.0.273.0-0.1.20091216svn34775.fc12
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-56.fc12
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                catchall
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.31.6-166.fc12.x86_64 #1 SMP Wed
                              Dec 9 10:46:22 EST 2009 x86_64 x86_64
Contador de alertas           3
Visto pela primeira vez em    Ter 22 Dez 2009 08:33:49 BRT
Visto pela última vez em     Ter 22 Dez 2009 09:55:24 BRT
ID local                      599a56f2-956e-4100-92a9-872dafd2d1a3
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1261486524.593:24882): avc:  denied  { execstack } for  pid=2628 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1261486524.593:24882): arch=c000003e syscall=10 success=yes exit=0 a0=7fff8ef2b000 a1=1000 a2=1000007 a3=3975619aeb items=0 ppid=0 pid=2628 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chromium-browse" exe="/usr/lib64/chromium-browser/chromium-browser" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-56.fc12,catchall,chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,execstack
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process execstack;
Comment 1 Cristóvão Rufino 2009-12-22 13:04:16 UTC 
When I updated Chromium SELinux prevented it from loading the /usr/lib64/chromium-browser/libsandbox.so due to 'text relocation'. Reading the Bugzilla report I found this line to bypass this small bug and allow Chromium to run even the problem persisted:

chcon -t textrel_shlib_t '/usr/lib64/chromium-browser/libsandbox.so'

When I entered this command, Chromium could load but then this new SELinux prevention started to show.
Comment 2 Daniel Walsh 2009-12-22 13:59:07 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-62.fc12.noarch
Comment 3 Fedora Update System 2009-12-22 21:56:23 UTC 
selinux-policy-3.6.32-63.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-63.fc12
Comment 4 Fedora Update System 2010-01-04 21:53:56 UTC 
selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12
Comment 5 Fedora Update System 2010-01-05 22:49:58 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184
Comment 6 Fedora Update System 2010-01-05 22:58:16 UTC 
selinux-policy-3.6.32-63.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-01-08 20:04:46 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.