Bug 589885 - SELinux is preventing /opt/google/chrome/chrome-sandbox toegang to a leaked /dev/null files descriptor
SELinux is preventing /opt/google/chrome/chrome-sandbox toegang to a leaked /...
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:185770ef133...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-07 04:03 EDT by Cesko Voeten
Modified: 2010-05-08 08:31 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-08 08:31:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Cesko Voeten 2010-05-07 04:03:23 EDT
Samenvatting:

SELinux belet /opt/google/chrome/chrome-sandbox toegang tot een gelekte
/dev/null bestands beschrijving.

Gedetailleerde omschrijving:

[chrome-sandbox heeft een toelatend type (chrome_sandbox_t). Deze toegang was
niet verboden.]

SELinux belet toegang gevraagd door het chrome-sandbox commando. Het lijkt erop
dat dit, of een lekkende beschrijving is, of chrome-sandbox output was omgeleid
naar een bestand waartoe toegang niet toegestaan is. Lekken kunnen gewoonlijk
genegeerd worden omdat SELinux de lek sluit en de fout rapporteert. De
toepassing gebruikt de beschrijving niet, dus het draait correct. Als dit een
omleiding is, zul je geen output in /dev/null krijgen. Je moet een bugzilla voor
selinux-policy aanmaken, en dit wordt doorgegeven van het betreffende pakket. Je
kunt deze avc veilig negeren.

Teogang toestaan:

Je kunt een locale gedragslijn module maken om deze toegang toe te staan - zie
FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additionele informatie:

Bron context                  unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Doel context                  unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0
                              :c0.c1023
Doel objecten                 /dev/null [ fd ]
Bron                          chrome-sandbox
Bron pad                      /opt/google/chrome/chrome-sandbox
Poort                         <Onbekend>
Host                          (verwijderd)
Bron RPM pakketten            google-chrome-beta-5.0.375.29-46008
Doel RPM pakketten            
Gedragslijn RPM               selinux-policy-3.7.19-10.fc13
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    leaks
Hostnaam                      (verwijderd)
Platform                      Linux (verwijderd) 2.6.33.3-79.fc13.i686 #1 SMP
                              Mon May 3 23:13:40 UTC 2010 i686 i686
Aantal waarschuwingen         4
Eerst gezien op               do 06 mei 2010 15:45:19 CEST
Laatst gezien op              do 06 mei 2010 15:45:57 CEST
Locale ID                     2a7f33bc-a4e5-4d87-b0bc-4b788c7438dd
Regelnummers                  

Onbewerkte audit boodschappen 

node=(verwijderd) type=AVC msg=audit(1273153557.323:60): avc:  denied  { use } for  pid=4352 comm="chrome-sandbox" path="/dev/null" dev=devtmpfs ino=3918 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd

node=(verwijderd) type=AVC msg=audit(1273153557.323:60): avc:  denied  { use } for  pid=4352 comm="chrome-sandbox" path="/dev/null" dev=devtmpfs ino=3918 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd

node=(verwijderd) type=SYSCALL msg=audit(1273153557.323:60): arch=40000003 syscall=11 success=yes exit=0 a0=bd6da1c a1=bd6daa0 a2=bd6db08 a3=bd6daa0 items=0 ppid=4345 pid=4352 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,chrome-sandbox,chrome_sandbox_t,unconfined_dbusd_t,fd,use
audit2allow suggests:

#============= chrome_sandbox_t ==============
#!!!! This avc can be allowed using the boolean 'allow_domain_fd_use'

allow chrome_sandbox_t unconfined_dbusd_t:fd use;
Comment 1 Cesko Voeten 2010-05-07 04:13:34 EDT
OK, I don't know why this is in Dutch, but I'll attempt to translate:

Summary:

SELinux is preventing /opt/google/chrome/chrome-sandbox access to a leaked
/dev/null files descriptor.

Detailed description:

[chrome-sandbox has an allowing type (chrome_sandbox_t). This access was not denied.]

SELinux is preventing access requested by the chrome-sandbox command. It looks like this, either is a leaking description (should that be: descriptor?), or chrome-sandbox output was rerouted to a file to which access is not allowed. Leaks can usually be ignored since SELinux closes the leak and reports the error. The application does not use the description, so it is running correctly. If this is a rerouting, you will not obtain output in /dev/null. You must create a bugzilla for selinux-policy, and this will be put through of the package in question (I don't understand that sentence in either Dutch or English). You can safely ignore this avc.

Allowing access: (that should be spelled "toegang" by the way, not "teogang")

You can make a local behaviour-line module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional information:

Source of context            
unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target of context                 
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0
                              :c0.c1023
Source of objects             /dev/null [ fd ]
Source                        chrome-sandbox
Path of source                /opt/google/chrome/chrome-sandbox
Port                          <Unknowo>
Host                          (removed)
Source of RPM packages        google-chrome-beta-5.0.375.29-46008
Target RPM packages
Behaviour-line RPM            selinux-policy-3.7.19-10.fc13
SELinux enabled               True
Behavioural-line type         targeted
Enforcing mode                Enforcing
Plugin-name                   leaks
Hostname                      (removed)
Platform                      Linux (removed) 2.6.33.3-79.fc13.i686 #1 SMP
                              Mon May 3 23:13:40 UTC 2010 i686 i686
Number of warnings            4
First seen on                 do 06 mei 2010 15:45:19 CEST
Last seen on                  do 06 mei 2010 15:45:57 CEST
Locale ID                     2a7f33bc-a4e5-4d87-b0bc-4b788c7438dd
Line-numbers                  

Unedited audit's messages

node=(verwijderd) type=AVC msg=audit(1273153557.323:60): avc:  denied  { use }
for  pid=4352 comm="chrome-sandbox" path="/dev/null" dev=devtmpfs ino=3918
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd

node=(verwijderd) type=AVC msg=audit(1273153557.323:60): avc:  denied  { use }
for  pid=4352 comm="chrome-sandbox" path="/dev/null" dev=devtmpfs ino=3918
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=fd

node=(verwijderd) type=SYSCALL msg=audit(1273153557.323:60): arch=40000003
syscall=11 success=yes exit=0 a0=bd6da1c a1=bd6daa0 a2=bd6db08 a3=bd6daa0
items=0 ppid=4345 pid=4352 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox"
exe="/opt/google/chrome/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from 
leaks,chrome-sandbox,chrome_sandbox_t,unconfined_dbusd_t,fd,use
audit2allow suggests:

#============= chrome_sandbox_t ==============
#!!!! This avc can be allowed using the boolean 'allow_domain_fd_use'

allow chrome_sandbox_t unconfined_dbusd_t:fd use;  

The application in question is Google Chrome, it is unfortunately closed source. If that means you can't help me I understand, of course.
Comment 2 Daniel Walsh 2010-05-07 08:56:11 EDT
cvoeten,  I only look at the avc data at the bottom.  I don't care about the translation.    But thanks anyways.

The questions is how did you get this to happen.  Do you have chrome running as a dbus session service?  It can be ignored, but it is very strange that you would have a leaked file descriptor from dbus to chrome.
Comment 3 Cesko Voeten 2010-05-08 08:31:52 EDT
The bug used to occur whenever I would start Chrome. But since today's SELinux policy update, it, for some reason, no longer does. So I guess this bug report can be closed.

As for what happened, I don't know much about Chrome's internals, but I know that it sandboxes every browser tab, and it may very well be that those sandboxed tabs communicate with the renderer over dbus.

I'll close this bug now as the issue seems to have resolved. Sorry to have wasted your time.

Note You need to log in before you can comment on or make changes to this bug.