581517 – Chromium AVCs

Bug 581517 - Chromium AVCs

Summary: Chromium AVCs

Keywords:
Status:	CLOSED DUPLICATE of bug 581457
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-12 13:55 UTC by Carl G.
Modified:	2010-04-12 20:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-04-12 16:26:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carl G. 2010-04-12 13:55:34 UTC

Here is the 3 AVCs i'm getting from Chromium on launch :

1)



Résumé:

SELinux is preventing /opt/google/chrome/chrome "read" access on
/opt/google/chrome/libnss3.so.1d.

Description détaillée:

[chrome a un type permissif (chrome_sandbox_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by chrome. It is not expected that this access
is required by chrome and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:usr_t:s0
Objets du contexte            /opt/google/chrome/libnss3.so.1d [ lnk_file ]
source                        chrome
Chemin de la source           /opt/google/chrome/chrome
Port                          <Inconnu>
Hôte                         BubbleWork.BubbleNet
Paquetages RPM source         google-chrome-unstable-5.0.371.0-43900
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-108.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                BubbleWork.BubbleNet
Plateforme                    Linux BubbleWork.BubbleNet
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Compteur d'alertes            2
Première alerte              lun 12 avr 2010 09:35:31 EDT
Dernière alerte              lun 12 avr 2010 09:38:10 EDT
ID local                      6d039fab-a92c-4aca-91a8-e7d60a572c48
Numéros des lignes           

Messages d'audit bruts        

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.798:31590): avc:  denied  { read } for  pid=3017 comm="chrome" name="libnss3.so.1d" dev=dm-2 ino=4325800 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file

node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1271079490.798:31590): arch=c000003e syscall=2 success=yes exit=4 a0=7fffc84234c0 a1=0 a2=0 a3=6ffffdff items=0 ppid=0 pid=3017 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

2)



Résumé:

SELinux is preventing /opt/google/chrome/chrome "read" access on
/opt/google/chrome/chrome.pak.

Description détaillée:

[chrome a un type permissif (chrome_sandbox_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by chrome. It is not expected that this access
is required by chrome and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:usr_t:s0
Objets du contexte            /opt/google/chrome/chrome.pak [ file ]
source                        chrome
Chemin de la source           /opt/google/chrome/chrome
Port                          <Inconnu>
Hôte                         BubbleWork.BubbleNet
Paquetages RPM source         google-chrome-unstable-5.0.371.0-43900
Paquetages RPM cible          google-chrome-unstable-5.0.371.0-43900
Politique RPM                 selinux-policy-3.6.32-108.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                BubbleWork.BubbleNet
Plateforme                    Linux BubbleWork.BubbleNet
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Compteur d'alertes            4
Première alerte              lun 12 avr 2010 09:35:31 EDT
Dernière alerte              lun 12 avr 2010 09:38:10 EDT
ID local                      884bddd8-8fa6-4752-8518-bf669035fa2f
Numéros des lignes           

Messages d'audit bruts        

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.807:31591): avc:  denied  { read } for  pid=3017 comm="chrome" name="chrome.pak" dev=dm-2 ino=4325396 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.807:31591): avc:  denied  { open } for  pid=3017 comm="chrome" name="chrome.pak" dev=dm-2 ino=4325396 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1271079490.807:31591): arch=c000003e syscall=2 success=yes exit=68719476864 a0=3597c58 a1=0 a2=180 a3=4 items=0 ppid=0 pid=3017 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

3)



Résumé:

SELinux is preventing /opt/google/chrome/chrome "getattr" access on
/opt/google/chrome/chrome.pak.

Description détaillée:

[chrome a un type permissif (chrome_sandbox_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by chrome. It is not expected that this access
is required by chrome and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:usr_t:s0
Objets du contexte            /opt/google/chrome/chrome.pak [ file ]
source                        chrome
Chemin de la source           /opt/google/chrome/chrome
Port                          <Inconnu>
Hôte                         BubbleWork.BubbleNet
Paquetages RPM source         google-chrome-unstable-5.0.371.0-43900
Paquetages RPM cible          google-chrome-unstable-5.0.371.0-43900
Politique RPM                 selinux-policy-3.6.32-108.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                BubbleWork.BubbleNet
Plateforme                    Linux BubbleWork.BubbleNet
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Compteur d'alertes            2
Première alerte              lun 12 avr 2010 09:35:31 EDT
Dernière alerte              lun 12 avr 2010 09:38:10 EDT
ID local                      391ef64c-f211-4e9c-8fbf-da518b6a9de8
Numéros des lignes           

Messages d'audit bruts        

node=BubbleWork.BubbleNet type=AVC msg=audit(1271079490.807:31592): avc:  denied  { getattr } for  pid=3017 comm="chrome" path="/opt/google/chrome/chrome.pak" dev=dm-2 ino=4325396 scontext=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=BubbleWork.BubbleNet type=SYSCALL msg=audit(1271079490.807:31592): arch=c000003e syscall=5 success=yes exit=68719476864 a0=9 a1=7fffc84224f0 a2=7fffc84224f0 a3=7fffc8421fa0 items=0 ppid=0 pid=3017 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=staff_u:staff_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Comment 1 Miroslav Grepl 2010-04-12 16:26:14 UTC


*** This bug has been marked as a duplicate of bug 581457 ***

Comment 2 Carl G. 2010-04-12 20:34:44 UTC

Er, sorry for the dupe... i missed 581457...

Note You need to log in before you can comment on or make changes to this bug.