Description of problem: I launched Chrome 24.0.1312.35 beta on Fedora 18. SELinux is preventing /opt/google/chrome/nacl_helper_bootstrap from 'search' accesses on the directory 1. ***** Plugin catchall (100. confidence) suggests *************************** If sie denken, dass es nacl_helper_bootstrap standardmässig erlaubt sein sollte, search Zugriff auf 1 directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep nacl_helper_boo /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0 -s0:c0.c1023 Target Context system_u:system_r:init_t:s0 Target Objects 1 [ dir ] Source nacl_helper_boo Source Path /opt/google/chrome/nacl_helper_bootstrap Port <Unknown> Host (removed) Source RPM Packages google-chrome-beta-24.0.1312.35-171386.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-60.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 14:12:51 UTC 2012 x86_64 x86_64 Alert Count 9 First Seen 2012-12-11 03:03:44 CET Last Seen 2012-12-11 14:50:58 CET Local ID 3504d439-db4b-440c-8877-1859ac3e487a Raw Audit Messages type=AVC msg=audit(1355233858.915:330): avc: denied { search } for pid=9529 comm="nacl_helper_boo" name="1" dev="proc" ino=9236 scontext=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir type=SYSCALL msg=audit(1355233858.915:330): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffd0265680 a1=0 a2=1b6 a3=1969ef0 items=0 ppid=1 pid=9529 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=nacl_helper_boo exe=/opt/google/chrome/nacl_helper_bootstrap subj=unconfined_u:unconfined_r:chrome_sandbox_nacl_t:s0-s0:c0.c1023 key=(null) Hash: nacl_helper_boo,chrome_sandbox_nacl_t,init_t,dir,search audit2allow audit2allow -R Additional info: hashmarkername: setroubleshoot kernel: 3.6.9-4.fc18.x86_64 type: libreport
Did anything actually break or just an AVC show up?
(In reply to comment #1) > Did anything actually break or just an AVC show up? There was nothing i noticed malfunctioning.
Fixed in selinux-policy-3.11.1-63.fc18.noarch
How did you fix this issue?
I am allowing it to read pid 1 data.
Thank you. I'm interested in learning. Can you: - tell me how you decided that this access is undangerous or - point me to some point where to read about how to decide such accesses?
Just going on experience and thinking about what kind of information might be leaked from reading /proc/1/* by a non priv user. Usually if it is standard system data and the process is read, I am lenient. Writing and reading random content owned by non standard apps is more interesting, and reading content in /home is something I think twice about.
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.