Hide Forgot
SELinux is preventing /opt/google/chrome/chrome-sandbox from 'getattr' accesses on the filesystem /tmp. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that chrome-sandbox should be allowed getattr access on the tmp filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ filesystem ] Source chrome-sandbox Source Path /opt/google/chrome/chrome-sandbox Port <Unknown> Host (removed) Source RPM Packages google-chrome-stable-8.0.552.237-70801 Target RPM Packages filesystem-2.4.35-1.fc14 Policy RPM selinux-policy-3.9.7-20.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux score 2.6.35.10-74.fc14.i686.PAE #1 SMP Thu Dec 23 16:10:47 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 20 Jan 2011 11:13:21 PM CST Last Seen Thu 20 Jan 2011 11:13:21 PM CST Local ID 2e381408-d3f6-4abc-8998-e3360f8d1d74 Raw Audit Messages type=AVC msg=audit(1295586801.553:25961): avc: denied { getattr } for pid=2919 comm="chrome-sandbox" name="/" dev=tmpfs ino=10835 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=filesystem chrome-sandbox,chrome_sandbox_t,tmp_t,filesystem,getattr type=SYSCALL msg=audit(1295586801.553:25961): arch=i386 syscall=statfs64 success=no exit=EACCES a0=804a118 a1=54 a2=bfd87480 a3=bfd87480 items=0 ppid=0 pid=2919 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chrome-sandbox exe=/opt/google/chrome/chrome-sandbox subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) chrome-sandbox,chrome_sandbox_t,tmp_t,filesystem,getattr #============= chrome_sandbox_t ============== allow chrome_sandbox_t tmp_t:filesystem getattr;
How is your /tmp mounted?
Are you mounting tmpfs on /tmp with the fscontext option? If yes could you change to rootcontext option
I am seeing the same AVC denial when I have tmpfs mounted as: # grep /tmp /etc/fstab tmp /tmp tmpfs rw,mode=1777,fscontext=system_u:object_r:tmp_t:s0 0 0 vartmp /var/tmp tmpfs rw,mode=1777,fscontext=system_u:object_r:tmp_t:s0 0 0 ...as mentioned by some wiki page I found: http://www.fedoraguide.info/index.php?title=Main_Page#Speed_improvements_using_tmpfs_2 ...in which the main relevant information is (and can be dated by) the text: "The "fscontext=system_u:object_r:tmp_t:s0" option is needed for SELinux, which is enabled by default in Fedora 11. Without it, many services will be prevented from writing to the directories." I will change to: tmp /tmp tmpfs rw,mode=1777,rootcontext=system_u:object_r:tmp_t:s0 0 0 vartmp /var/tmp tmpfs rw,mode=1777,rootcontext=system_u:object_r:tmp_t:s0 0 0 ...and see what happens
mount.tmpfs takes care of the labeling, so if you remove the context from fstab, the correct thing should happen.
Thanks - fstab entries are now just # grep /tmp /etc/fstab tmp /tmp tmpfs rw,mode=1777 0 0 vartmp /var/tmp tmpfs rw,mode=1777 0 0 ...and after a bit of usage still haven't gotten any warnings, and the (presumably involved) chome dir has these contexts: # ls -ldZ /tmp/.com.google.chrome.9IkcGY/ drwx------. myuser mygroup unconfined_u:object_r:user_tmp_t:s0 /tmp/.com.google.chrome.deadbeef/ # ls -ldZ /tmp drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp Thanks, WORKSFORME now.