Bug 790980 - Google Chrome has problems with SELinux rules when home directory is in NFS
Summary: Google Chrome has problems with SELinux rules when home directory is in NFS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-15 21:05 UTC by Jonathan Billings
Modified: 2012-10-10 09:10 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-137.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:31:27 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description Jonathan Billings 2012-02-15 21:05:27 UTC 
Description of problem:

My Home directory is in AFS, but this also occurs with NFS home directories.  Both are labled as nfs_t mountpoints.

I'm using the latest stable release of google-chrome, and when I visit my Google Calendar page (https://www.google.com/calendar/) after signing in, it first starts to render then I get the 'Aw snap' internal error page.  If I set SELinux to permissive, it works, but I didn't see any logs in the audit log.  If I temporary remove dontaudits with 'semodule -DB', I see this in the audit log:

type=AVC msg=audit(1329336848.285:127497): avc:  denied  { write } for  pid=5347 comm="chrome" path="/afs/umich.edu/user/j/s/jsbillin/.config/google-chrome/Default/databases/https_www.google.com_0/1" dev=afs ino=665341522 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file

When I create and load a policy module that allows:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t nfs_t:file write;

... google does not get an 'Aw snap' error page when I visit the Google Calendar page.


Version-Release number of selected component (if applicable):
google-chrome-stable-17.0.963.46-119351.x86_64
selinux-policy-3.7.19-126.el6_2.6.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have a NFS or AFS home directory
2. Install google chrome
3. Go to https://www.google.com/calendar/ in chrome, sign in with google account.
  
Actual results:
The chrome 'Aw snap' error page

Expected results:
A working web session.

Additional info:
This problem doesn't occur in Fedora 16.  I spoke with Dan Walsh in the #fedora-selinux IRC channel, and he indicated that it was part of the selinux-policy in recent Fedora releases as part of the use_nfs_home_dirs SEboolean, but it wasn't in RHEL6.2.

Comparing the output of "sesearch -A -C |grep use_nfs_home_dirs |grep chrome", I can see that RHEL6.2 has

ET allow chrome_sandbox_t nfs_t : file { ioctl read getattr lock } ; [ use_nfs_home_dirs ]

while Fedora 16 has:

ET allow chrome_sandbox_t nfs_t : file { ioctl read write getattr lock append execute execute_no_trans open } ; [ use_nfs_home_dirs ]
Comment 2 Miroslav Grepl 2012-02-16 09:44:22 UTC 
Fixed in selinux-policy-3.7.19-137.el6
Comment 8 errata-xmlrpc 2012-06-20 12:31:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.