Red Hat Bugzilla – Bug 585635
SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox access to a leaked fifo_file file descriptor.
Last modified: 2010-05-18 17:55:07 EDT
Résumé: SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox access to a leaked fifo_file file descriptor. Description détaillée: [chrome-sandbox a un type permissif (chrome_sandbox_t). Cet accès n'a pas été refusé.] SELinux denied access requested by the chrome-sandbox command. It looks like this is either a leaked descriptor or chrome-sandbox output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the fifo_file. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Autoriser l'accès: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Informations complémentaires: Contexte source unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Contexte cible unconfined_u:unconfined_r:unconfined_java_t:s0-s0: c0.c1023 Objets du contexte fifo_file [ fifo_file ] source chrome-sandbox Chemin de la source /usr/lib/chromium-browser/chrome-sandbox Port <Inconnu> Hôte (removed) Paquetages RPM source chromium-5.0.372.0-0.1.20100408svn43945.fc12 Paquetages RPM cible Politique RPM selinux-policy-3.6.32-108.fc12 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin leaks Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Compteur d'alertes 2 Première alerte lun 12 avr 2010 20:47:40 CEST Dernière alerte lun 12 avr 2010 21:03:13 CEST ID local 00d9a349-c72e-442a-abe0-a6cfe3c4fe42 Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1271098993.613:30620): avc: denied { write } for pid=3389 comm="chrome-sandbox" path="pipe:[63152]" dev=pipefs ino=63152 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=fifo_file node=(removed) type=SYSCALL msg=audit(1271098993.613:30620): arch=40000003 syscall=11 success=yes exit=0 a0=8dfc14c a1=8dc63b0 a2=8e00000 a3=8dc63b0 items=0 ppid=3387 pid=3389 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,chrome-sandbox,chrome_sandbox_t,unconfined_java_t,fifo_file,write audit2allow suggests: #============= chrome_sandbox_t ============== allow chrome_sandbox_t unconfined_java_t:fifo_file write;
This is allowed in F13. Might be fixed if you move to a new selinux-policy. yum update selinux-policy-targeted --enablerepo=updates-testing
Many thanks for the tips
Fixed in selinux-policy-3.6.32-114.fc12
selinux-policy-3.6.32-114.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-114.fc12
selinux-policy-3.6.32-114.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-114.fc12
selinux-policy-3.6.32-114.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.