Resum: SELinux is preventing /opt/google/chrome/chrome "read" access on /opt/google/chrome/chrome.pak. Descripció detallada: [chrome has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome. It is not expected that this access is required by chrome and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Permet l'accés: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Informació addicional: Context de la font unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Context de l'objectiu system_u:object_r:usr_t:s0 Objectes objectius /opt/google/chrome/chrome.pak [ file ] Font chrome Camí de la font /opt/google/chrome/chrome Port <Desconegut> Ordinador (removed) Paquests RPM font google-chrome-beta-5.0.342.9-43360 Paquets RPM destí google-chrome-beta-5.0.342.9-43360 RPM de política selinux-policy-3.6.32-110.fc12 S'ha habilitat el Selinux True Tipus de la política targeted Mode forçat Enforcing Nom del connector catchall Nom de la màquina (removed) Plataforma Linux (removed) 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Contador d'alertes 2 Vist per primera vegada dl 12 abr 2010 10:58:02 CEST Vist per darrera vegada dl 12 abr 2010 10:58:02 CEST Identificador local 4e04fee9-ed15-47cb-8a39-35f1f9b536b7 Número de línies Missatges d'auditoria sense p node=(removed) type=AVC msg=audit(1271062682.948:1689): avc: denied { read } for pid=7689 comm="chrome" name="chrome.pak" dev=dm-8 ino=147760 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file node=(removed) type=AVC msg=audit(1271062682.948:1689): avc: denied { open } for pid=7689 comm="chrome" name="chrome.pak" dev=dm-8 ino=147760 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1271062682.948:1689): arch=c000003e syscall=2 per=400000 success=yes exit=68719476864 a0=2d6b798 a1=0 a2=180 a3=18 items=0 ppid=0 pid=7689 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,chrome,chrome_sandbox_t,usr_t,file,read audit2allow suggests: #============= chrome_sandbox_t ============== allow chrome_sandbox_t usr_t:file { read open };
*** Bug 581458 has been marked as a duplicate of this bug. ***
*** Bug 581517 has been marked as a duplicate of this bug. ***
*** Bug 581455 has been marked as a duplicate of this bug. ***
Miroslav add files_read_usr_files(chrome_sandbox_t)
Fixed in selinux-policy-3.6.32-111.fc12
This seems to have started occurring after todays update. occurs pretty much everytime i open chrome.
Mykal did you try out the newest policy? selinux-policy-3.6.32-111.fc12
I have just now checked and I am up to date. I have done a full restart but still get a SE denial report when I open Chrome (included below). Chrome runs fine but i get this report whenever I open a new tab. I can see in the report that it is using an older version of the policy, but shouldn't that have come with the usual updates? Summary: SELinux is preventing /opt/google/chrome/chrome "read" access on /opt/google/chrome/chrome.pak. Detailed Description: [chrome has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome. It is not expected that this access is required by chrome and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /opt/google/chrome/chrome.pak [ file ] Source chrome Source Path /opt/google/chrome/chrome Port <Unknown> Host FedoraBox Source RPM Packages google-chrome-beta-5.0.342.9-43360 Target RPM Packages google-chrome-beta-5.0.342.9-43360 Policy RPM selinux-policy-3.6.32-110.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name FedoraBox Platform Linux FedoraBox 2.6.32.11-99.fc12.i686 #1 SMP Mon Apr 5 16:32:08 EDT 2010 i686 i686 Alert Count 24 First Seen Thu 22 Apr 2010 12:33:44 PM EST Last Seen Thu 22 Apr 2010 09:54:39 PM EST Local ID 6c1d2457-aa74-43d8-b072-1234fa475134 Line Numbers Raw Audit Messages node=FedoraBox type=AVC msg=audit(1271937279.377:16): avc: denied { read } for pid=2257 comm="chrome" name="chrome.pak" dev=dm-0 ino=55806 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file node=FedoraBox type=AVC msg=audit(1271937279.377:16): avc: denied { open } for pid=2257 comm="chrome" name="chrome.pak" dev=dm-0 ino=55806 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file node=FedoraBox type=SYSCALL msg=audit(1271937279.377:16): arch=40000003 syscall=5 per=400000 success=yes exit=9 a0=b77aa94 a1=8000 a2=0 a3=0 items=0 ppid=0 pid=2257 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
Mykal, you can install the latest selinux-policy and selinux-policy-targeted packages from Koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=167280
Thanks so much for all your help Miroslav, but unfortunately I get a transaction error when attempting to install the rpm from the site. "selinux-policy-targeted-3.6.32-110.fc12.noarch requires selinux-policy = 3.6.32-110.fc12" I can't see where I can download this file from the site. I understand this is just a flaky notification so I'm happy to bare with it for now, it looks like the policy is just waiting for approval and will come with an update soon, which I have set to check daily. Unless you have another suggestion?
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
(In reply to comment #12) > selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing > repository. If problems still persist, please make note of it in this bug > report. > If you want to test the update, you can install it with > su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can > provide feedback for this update here: > http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12 checked, looks ok here. Fedora 12, 64bit
checked, looks ok here. Fedora 12, 32bit
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.