Bug 800870 - SELinux is preventing /opt/google/chrome/chrome-sandbox from sys_ptrace access on the None .
SELinux is preventing /opt/google/chrome/chrome-sandbox from sys_ptrace acces...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2012-03-07 07:29 EST by Stef Walter
Modified: 2012-03-08 02:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-07 14:00:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2012-03-07 07:29:57 EST
SELinux is preventing /opt/google/chrome/chrome-sandbox from sys_ptrace access on the None .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chrome-sandbox should be allowed sys_ptrace access on the  <Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
Target Objects                 [ None ]
Source                        chrome-sandbox
Source Path                   /opt/google/chrome/chrome-sandbox
Port                          <Unknown>
Host                          stef-desktop.thewalter.lan
Source RPM Packages           google-chrome-stable-17.0.963.66-124982.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-89.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     stef-desktop.thewalter.lan
Platform                      Linux stef-desktop.thewalter.lan
                              3.3.0-0.rc3.git7.2.fc17.x86_64 #1 SMP Fri Feb 17
                              18:55:53 UTC 2012 x86_64 x86_64
Alert Count                   112
First Seen                    2012-03-07T07:20:46 CET
Last Seen                     2012-03-07T13:28:05 CET
Local ID                      693bdc05-1852-41b6-abf1-ac5df78890d7

Raw Audit Messages
type=AVC msg=audit(1331123285.496:575): avc:  denied  { sys_ptrace } for  pid=14013 comm="chrome-sandbox" capability=19  scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capabilitynode=stef-desktop.thewalter.lan type=SYSCALL msg=audit(1331123285.496:575): arch=c000003e syscall=89 success=no exit=-13 a0=7fff9d25c930 a1=7fff9d25c830 a2=ff a3=4022dc items=0 ppid=14001 pid=14013 auid=1000 uid=1000 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 tty=(none) ses=9 comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome-sandbox,chrome_sandbox_t,chrome_sandbox_t,None,sys_ptrace


audit2allow -R
Comment 1 Daniel Walsh 2012-03-07 14:00:53 EST
yum update
Comment 2 Stef Walter 2012-03-08 02:02:43 EST

Note You need to log in before you can comment on or make changes to this bug.