Bug 866107 - SELinux is preventing /usr/lib64/chromium-browser/nacl_helper_bootstrap from 'search' accesses on the directory 3.
Summary: SELinux is preventing /usr/lib64/chromium-browser/nacl_helper_bootstrap from ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b977b2ba2d25d4e4b5aaf871525...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-14 02:29 UTC by sangu
Modified: 2012-12-20 16:22 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-12-20 16:21:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-14 02:29 UTC, sangu
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-14 02:29 UTC, sangu
no flags Details

Description sangu 2012-10-14 02:29:18 UTC
Description of problem:
Open chromium ( version 21.0.1180.89-1.fc18.x86_64)

Additional info:
libreport version: 2.0.16
kernel:         3.6.1-1.fc18.x86_64

Comment 1 sangu 2012-10-14 02:29:20 UTC
Created attachment 626731 [details]
File: type

Comment 2 sangu 2012-10-14 02:29:22 UTC
Created attachment 626732 [details]
File: hashmarkername

Comment 3 sangu 2012-10-14 02:33:43 UTC
Strange setroubleshoot report.



SELinux is preventing /usr/lib64/chromium-browser/nacl_helper_bootstrap from search access on the directory 3.

*****  Plugin catchall (100. confidence) suggests  ***************************

If nacl_helper_bootstrap는 디폴트로 3 directory에서 search 액세스를 허용해야 합니다. 
Then 이 버그를 보고해야 합니다. 
이러한 액세스를 허용하기 위해 로컬 정채 모듈을 생성할 수 있습니다. 
Do
지금 이 액세스를 허용하려면 다음을 실행합니다: 
# grep nacl_helper_boo /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0
                              -s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                3 [ dir ]
Source                        nacl_helper_boo
Source Path                   /usr/lib64/chromium-browser/nacl_helper_bootstrap
Port                          <알려지지 않음>
Host                          localhost.localdomain
Source RPM Packages           chromium-21.0.1180.89-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-36.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.6.1-1.fc18.x86_64 #1
                              SMP Mon Oct 8 17:19:09 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-10-14 11:25:27 KST
Last Seen                     2012-10-14 11:25:27 KST
Local ID                      c32fe45a-5488-4e1d-8b2c-3c37b2ede102

Raw Audit Messages
type=AVC msg=audit(1350181527.419:212): avc:  denied  { search } for  pid=2953 comm="nacl_helper_boo" name="3" dev="proc" ino=14581 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir


type=SYSCALL msg=audit(1350181527.419:212): arch=x86_64 syscall=readlink success=no exit=EACCES a0=7fff65f527c0 a1=7fff65f517c0 a2=1000 a3=7fff65f51550 items=0 ppid=1 pid=2953 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm=nacl_helper_boo exe=/usr/lib64/chromium-browser/nacl_helper_bootstrap subj=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 key=(null)

Hash: nacl_helper_boo,chrome_sandbox_nacl_t,kernel_t,dir,search

audit2allow

#============= chrome_sandbox_nacl_t ==============
allow chrome_sandbox_nacl_t kernel_t:dir search;

audit2allow -R

#============= chrome_sandbox_nacl_t ==============
allow chrome_sandbox_nacl_t kernel_t:dir search;

Comment 4 Daniel Walsh 2012-10-15 14:28:52 UTC
Did anything actually break or did you just see the AVC reported?

Comment 5 Daniel Walsh 2012-10-15 14:37:09 UTC
I just added this to F18.

Comment 6 Fedora Update System 2012-10-23 20:34:29 UTC
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18

Comment 7 Fedora Update System 2012-10-26 15:37:26 UTC
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18

Comment 8 Fedora Update System 2012-10-26 19:26:48 UTC
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2012-12-20 16:22:00 UTC
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.