Bug 866107 - SELinux is preventing /usr/lib64/chromium-browser/nacl_helper_bootstrap from 'search' accesses on the directory 3.
SELinux is preventing /usr/lib64/chromium-browser/nacl_helper_bootstrap from ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:b977b2ba2d25d4e4b5aaf871525...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-13 22:29 EDT by sangu
Modified: 2012-12-20 11:22 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 11:21:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-13 22:29 EDT, sangu
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-13 22:29 EDT, sangu
no flags Details

  None (edit)
Description sangu 2012-10-13 22:29:18 EDT
Description of problem:
Open chromium ( version 21.0.1180.89-1.fc18.x86_64)

Additional info:
libreport version: 2.0.16
kernel:         3.6.1-1.fc18.x86_64
Comment 1 sangu 2012-10-13 22:29:20 EDT
Created attachment 626731 [details]
File: type
Comment 2 sangu 2012-10-13 22:29:22 EDT
Created attachment 626732 [details]
File: hashmarkername
Comment 3 sangu 2012-10-13 22:33:43 EDT
Strange setroubleshoot report.



SELinux is preventing /usr/lib64/chromium-browser/nacl_helper_bootstrap from search access on the directory 3.

*****  Plugin catchall (100. confidence) suggests  ***************************

If nacl_helper_bootstrap는 디폴트로 3 directory에서 search 액세스를 허용해야 합니다. 
Then 이 버그를 보고해야 합니다. 
이러한 액세스를 허용하기 위해 로컬 정채 모듈을 생성할 수 있습니다. 
Do
지금 이 액세스를 허용하려면 다음을 실행합니다: 
# grep nacl_helper_boo /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0
                              -s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                3 [ dir ]
Source                        nacl_helper_boo
Source Path                   /usr/lib64/chromium-browser/nacl_helper_bootstrap
Port                          <알려지지 않음>
Host                          localhost.localdomain
Source RPM Packages           chromium-21.0.1180.89-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-36.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.6.1-1.fc18.x86_64 #1
                              SMP Mon Oct 8 17:19:09 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-10-14 11:25:27 KST
Last Seen                     2012-10-14 11:25:27 KST
Local ID                      c32fe45a-5488-4e1d-8b2c-3c37b2ede102

Raw Audit Messages
type=AVC msg=audit(1350181527.419:212): avc:  denied  { search } for  pid=2953 comm="nacl_helper_boo" name="3" dev="proc" ino=14581 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir


type=SYSCALL msg=audit(1350181527.419:212): arch=x86_64 syscall=readlink success=no exit=EACCES a0=7fff65f527c0 a1=7fff65f517c0 a2=1000 a3=7fff65f51550 items=0 ppid=1 pid=2953 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm=nacl_helper_boo exe=/usr/lib64/chromium-browser/nacl_helper_bootstrap subj=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 key=(null)

Hash: nacl_helper_boo,chrome_sandbox_nacl_t,kernel_t,dir,search

audit2allow

#============= chrome_sandbox_nacl_t ==============
allow chrome_sandbox_nacl_t kernel_t:dir search;

audit2allow -R

#============= chrome_sandbox_nacl_t ==============
allow chrome_sandbox_nacl_t kernel_t:dir search;
Comment 4 Daniel Walsh 2012-10-15 10:28:52 EDT
Did anything actually break or did you just see the AVC reported?
Comment 5 Daniel Walsh 2012-10-15 10:37:09 EDT
I just added this to F18.
Comment 6 Fedora Update System 2012-10-23 16:34:29 EDT
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 7 Fedora Update System 2012-10-26 11:37:26 EDT
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 8 Fedora Update System 2012-10-26 15:26:48 EDT
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-12-20 11:22:00 EST
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.