Podsumowanie: SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox access to a leaked fifo_file file descriptor. Szczegółowy opis: [chrome-sandbox posiada typ zezwalania (chrome_sandbox_t). Ten dostęp nie został odmówiony.] SELinux denied access requested by the chrome-sandbox command. It looks like this is either a leaked descriptor or chrome-sandbox output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the fifo_file. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Zezwalanie na dostęp: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Dodatkowe informacje: Kontekst źródłowy unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Kontekst docelowy unconfined_u:unconfined_r:unconfined_java_t:s0-s0: c0.c1023 Obiekty docelowe fifo_file [ fifo_file ] Źródło chrome-sandbox Ścieżka źródłowa /usr/lib64/chromium-browser/chrome-sandbox Port <Nieznane> Komputer (removed) Źródłowe pakiety RPM chromium-5.0.360.0-0.1.20100322svn42211.fc12 Docelowe pakiety RPM Pakiet RPM polityki selinux-policy-3.6.32-103.fc12 SELinux jest włączony True Typ polityki targeted Tryb wymuszania Enforcing Nazwa wtyczki leaks Nazwa komputera (removed) Platforma Linux (removed) 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Liczba alarmów 1 Po raz pierwszy wto, 23 mar 2010, 14:48:24 Po raz ostatni wto, 23 mar 2010, 14:48:24 Lokalny identyfikator 7a125c49-1e76-4e9f-8c22-d776051f4e29 Liczba wierszy Surowe komunikaty audytu node=(removed) type=AVC msg=audit(1269352104.473:52): avc: denied { write } for pid=4586 comm="chrome-sandbox" path="pipe:[804140]" dev=pipefs ino=804140 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=fifo_file node=(removed) type=SYSCALL msg=audit(1269352104.473:52): arch=c000003e syscall=59 success=yes exit=0 a0=2410ab8 a1=23fc640 a2=2420000 a3=7fffc65a0c80 items=0 ppid=4584 pid=4586 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib64/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,chrome-sandbox,chrome_sandbox_t,unconfined_java_t,fifo_file,write audit2allow suggests: #============= chrome_sandbox_t ============== allow chrome_sandbox_t unconfined_java_t:fifo_file write;
Miroslav, add userdom_unpriv_usertype(unconfined, unconfined_java_t) to java.te
Fixed in selinux-policy-3.6.32-108.fc12
selinux-policy-3.6.32-108.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12
selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12
selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.