Hide Forgot
Description of problem: i have in my selinux audit logs this : type=AVC msg=audit(1297435306.238:20321): avc: denied { read } for pid=22631 comm="chrome" name="clhep" dev=sda5 ino=8195388 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1297435306.238:20321): arch=c000003e syscall=2 success=no exit=-2 a0=7fffb3534570 a1=0 a2=0 a3=2f7065686c632f70 items=0 ppid=0 pid=22631 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) it seems that it tries to access my high energy physics library (CLHEP) location... the question is WHY? Version-Release number of selected component (if applicable): google-chrome-stable-9.0.597.94-73967.x86_64 How reproducible: i imagine that having and installed CLHEP library and having the main export variables ($CLHEP_BASE_DIR $CLHEP_INCLUDE_DIR $CLHEP_LIB $CLHEP_LIB_DIR) point to an symlink that points to a version of CLHEP and running chrome will give the same audit results Steps to Reproduce: 1. 2. 3. Actual results: "SELinux is preventing /opt/google/chrome/chrome from read access on the lnk_file /home/physics-tools/clhep/clhep" Expected results: NOT this access Additional info: Source Context unconfined_u:unconfined_r:chrome_sandbox_t :SystemLow-SystemHigh Target Context unconfined_u:object_r:user_home_t:SystemLow Target Objects /home/physics-tools/clhep/clhep [ lnk_file ] Source chrome Source Path /opt/google/chrome/chrome Source RPM Packages google-chrome-stable-9.0.597.94-73967 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive adrian@sev: ~ $ echo $CLHEP_BASE_DIR /home/physics-tools/clhep/clhep adrian@sev: ~ $ stat /home/physics-tools/clhep/clhep File: `/home/physics-tools/clhep/clhep' -> `/home/physics-tools/clhep/2.1.0.0' Size: 33 Blocks: 2 IO Block: 1024 symbolic link Device: 805h/2053d Inode: 8195388 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 500/ adrian) Gid: ( 500/ adrian) Access: 2010-11-02 15:10:40.000000000 +0200 Modify: 2010-11-02 15:10:40.000000000 +0200 Change: 2010-11-02 15:10:40.000000000 +0200 adrian@sev: ~ $ ls -lZ /home/physics-tools/clhep/clhep lrwxrwxrwx. adrian adrian unconfined_u:object_r:user_home_t:SystemLow /home/physics-tools/clhep/clhep -> /home/physics-tools/clhep/2.1.0.0/
Did you start chrome while sitting in this directory? Where you looking at content in this directory with chrome? chrome and firefox for that matter leak lots of open file descriptors so this could be a leak from chrome to the sandbox but I seldom if ever have seen a leak of a link file descriptor.
nope, negative at both questions ... i start chrome from the menu and i have no idea what working directory have the applications started this way ... and none of the terminal used had been in that directory .. it is happening regardless of the state (logout form kde, login again, starting chrome and watch as AVC selinux message appear telling me about what happened)
What does printenv | grep clhep show?
Also anything in .bashrc or .bash_profile?
(In reply to comment #4) > Also anything in .bashrc or .bash_profile? Well, of course shows a lot! clhep have the bin and libs directories in PATH and in LD_LIBRARY_PATH .basrc script for clhep: adrian@sev: ~ $ cat /home/physics-tools/env/clhep_scr ## ## CLHEP ## ## export CLHEP_BASE_DIR=${tools}/clhep/clhep export CLHEP_INCLUDE_DIR=${CLHEP_BASE_DIR}/include export CLHEP_LIB_DIR=${CLHEP_BASE_DIR}/lib export PATH=$PATH:${CLHEP_BASE_DIR}/bin export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${CLHEP_LIB_DIR} export C_INCLUDE_PATH=$C_INCLUDE_PATH:${CLHEP_INCLUDE_DIR} export CPLUS_INCLUDE_PATH=$CPLUS_INCLUDE_PATH:${CLHEP_INCLUDE_DIR} but what is connection with chrome??? just for reference i will put here and relevant printenv output: adrian@sev: ~ $ printenv | grep clhep CLHEP_LIB_DIR=/home/physics-tools/clhep/clhep/lib CPLUS_INCLUDE_PATH=/home/physics-tools/PYTHIA8/include::/home/physics-tools/clhep/clhep/include:/home/physics-tools/geant4/include/:/home/physics-tools/root/root/include:/home/physics-tools/alice/aliroot/include LD_LIBRARY_PATH=/home/physics-tools/PYTHIA8/lib:/lib:/usr/lib:/usr/local/lib:/usr/X11R6/lib:/lib:/usr/lib:/usr/local/lib:/usr/X11R6/lib:/usr/java/default/jre/lib:/usr/lib64/qt-3.3/lib:/home/adrian/ahome/lib:/home/physics-tools/clhep/clhep/lib:/home/physics-tools/geant4/lib/Linux-g++:/home/physics-tools/clhep/clhep/lib:/lib:/home/physics-tools/geant4/lib/Linux-g++:/home/physics-tools/alien/api/lib:/home/physics-tools/alien/globus/lib:/home/physics-tools/root/root/lib:/home/physics-tools/alice/aliroot/lib/tgt_linuxx8664gcc:/home/physics-tools/alice/geant3/lib/tgt_linuxx8664gcc PATH=/home/physics-tools/PYTHIA8/bin:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/X11R6/bin:/usr/java/default/jre/bin:/usr/lib64/qt-3.3/bin:.:/home/adrian/ahome/bin:/home/physics-tools/clhep/clhep/bin:/home/adrian/geant4/bin/Linux-g++:/home/physics-tools/alien/api/bin:/home/physics-tools/alien/globus/bin:/home/physics-tools/root/root/bin:/bin:/home/physics-tools/alice/aliroot/bin/tgt_linuxx8664gcc C_INCLUDE_PATH=/home/physics-tools/PYTHIA8/include::/home/physics-tools/clhep/clhep/include:/home/physics-tools/geant4/include/:/home/physics-tools/root/root/include:/home/physics-tools/alice/aliroot/include CLHEP_BASE_DIR=/home/physics-tools/clhep/clhep CLHEP_INCLUDE_DIR=/home/physics-tools/clhep/clhep/include Thanks for looking into it! Adrian
If it is in your LD_LIBRARY_PATH, then the dynamic linker will try to search it when starting up any dynamically linked executable, including chrome. Just dontaudit it.
ok, mystery solved! i will add the proper se policy. Thanks!!