800870 – SELinux is preventing /opt/google/chrome/chrome-sandbox from sys_ptrace access on the None .

Bug 800870 - SELinux is preventing /opt/google/chrome/chrome-sandbox from sys_ptrace access on the None .

Summary: SELinux is preventing /opt/google/chrome/chrome-sandbox from sys_ptrace acces...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-07 12:29 UTC by Stef Walter
Modified:	2012-03-08 07:02 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-07 19:00:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stef Walter 2012-03-07 12:29:57 UTC

SELinux is preventing /opt/google/chrome/chrome-sandbox from sys_ptrace access on the None .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chrome-sandbox should be allowed sys_ptrace access on the  <Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                 [ None ]
Source                        chrome-sandbox
Source Path                   /opt/google/chrome/chrome-sandbox
Port                          <Unknown>
Host                          stef-desktop.thewalter.lan
Source RPM Packages           google-chrome-stable-17.0.963.66-124982.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-89.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     stef-desktop.thewalter.lan
Platform                      Linux stef-desktop.thewalter.lan
                              3.3.0-0.rc3.git7.2.fc17.x86_64 #1 SMP Fri Feb 17
                              18:55:53 UTC 2012 x86_64 x86_64
Alert Count                   112
First Seen                    2012-03-07T07:20:46 CET
Last Seen                     2012-03-07T13:28:05 CET
Local ID                      693bdc05-1852-41b6-abf1-ac5df78890d7

Raw Audit Messages
type=AVC msg=audit(1331123285.496:575): avc:  denied  { sys_ptrace } for  pid=14013 comm="chrome-sandbox" capability=19  scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capabilitynode=stef-desktop.thewalter.lan type=SYSCALL msg=audit(1331123285.496:575): arch=c000003e syscall=89 success=no exit=-13 a0=7fff9d25c930 a1=7fff9d25c830 a2=ff a3=4022dc items=0 ppid=14001 pid=14013 auid=1000 uid=1000 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 tty=(none) ses=9 comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)


Hash: chrome-sandbox,chrome_sandbox_t,chrome_sandbox_t,None,sys_ptrace

audit2allow


audit2allow -R

Comment 1 Daniel Walsh 2012-03-07 19:00:53 UTC

yum update

Comment 2 Stef Walter 2012-03-08 07:02:43 UTC

Thanks!

Note You need to log in before you can comment on or make changes to this bug.