886397 – SELinux is preventing Chrome_ChildIOT from 'write' accesses on the file /run/media/aldrian/Application/Chrome-extension/YMailBold/icon.png.

Bug 886397 - SELinux is preventing Chrome_ChildIOT from 'write' accesses on the file /run/media/aldrian/Application/Chrome-extension/YMailBold/icon.png.

Summary: SELinux is preventing Chrome_ChildIOT from 'write' accesses on the file /run/...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:9602ca7aa0697005b7d41f4e194...
Duplicates (1):	886398 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-12 08:28 UTC by Aldrian Obaja
Modified:	2012-12-18 14:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-12-18 14:25:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: type (9 bytes, text/plain) 2012-12-12 08:28 UTC, Aldrian Obaja	no flags	Details
File: hashmarkername (14 bytes, text/plain) 2012-12-12 08:28 UTC, Aldrian Obaja	no flags	Details
View All

Description Aldrian Obaja 2012-12-12 08:28:16 UTC

Additional info:
libreport version: 2.0.18
kernel:         3.6.9-2.fc17.i686

description:
:SELinux is preventing Chrome_ChildIOT from 'write' accesses on the file /run/media/aldrian/Application/Chrome-extension/YMailBold/icon.png.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that Chrome_ChildIOT should be allowed write access on the icon.png file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep Chrome_ChildIOT /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:fusefs_t:s0
:Target Objects                /run/media/aldrian/Application/Chrome-
:                              extension/YMailBold/icon.png [ file ]
:Source                        Chrome_ChildIOT
:Source Path                   Chrome_ChildIOT
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.9-2.fc17.i686 #1 SMP Tue Dec 4
:                              14:22:00 UTC 2012 i686 i686
:Alert Count                   2
:First Seen                    2012-12-12 16:25:38 SGT
:Last Seen                     2012-12-12 16:26:14 SGT
:Local ID                      77d7dc29-27da-4d93-92bb-75076518c722
:
:Raw Audit Messages
:type=AVC msg=audit(1355300774.145:149): avc:  denied  { write } for  pid=7037 comm="Chrome_ChildIOT" path="/run/media/aldrian/Application/Chrome-extension/YMailBold/icon.png" dev="sda5" ino=142521 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
:
:
:Hash: Chrome_ChildIOT,chrome_sandbox_t,fusefs_t,file,write
:
:audit2allow
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t fusefs_t:file write;
:
:audit2allow -R
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t fusefs_t:file write;
:

Comment 1 Aldrian Obaja 2012-12-12 08:28:19 UTC

Created attachment 662111 [details]
File: type

Comment 2 Aldrian Obaja 2012-12-12 08:28:21 UTC

Created attachment 662112 [details]
File: hashmarkername

Comment 3 Daniel Walsh 2012-12-12 12:16:58 UTC

Looks like a leak.  Probably can be ignored.

Comment 4 Daniel Walsh 2012-12-12 12:18:03 UTC

Aldrian, what is this some kind of usb stick with chrome content on it?

Comment 5 Daniel Walsh 2012-12-12 12:18:31 UTC

*** Bug 886398 has been marked as a duplicate of this bug. ***

Comment 6 Aldrian Obaja 2012-12-12 12:53:44 UTC

The content it tried to access is in another drive, a Windows partition, which is mounted in the /run/media/aldrian
The Chrome itself is in the Linux partition.

Comment 7 Daniel Walsh 2012-12-17 21:34:49 UTC

Did anything actually break?  IE did everything seem to work properly?

Comment 8 Aldrian Obaja 2012-12-18 03:13:34 UTC

I was using this webapp pixlr.com/editor/ and I can't save any file to that location. The app works fine in Windows Chrome.

Hmm, actually after further testing, in fact, it can't save to local drive as well, the page just went plain white after trying to save.

Comment 9 Daniel Walsh 2012-12-18 14:25:40 UTC

The thing we are trying to prevent with this confinement is the chrome sandbox being able to write to the homedir.  You need to turn off the confinement using

setsebool -P unconfined_chrome_sandbox_transition 1

Note You need to log in before you can comment on or make changes to this bug.