Bug 896177 - SELinux is preventing /opt/google/chrome/chrome-sandbox from 'write' accesses on the file oom_adj.
Summary: SELinux is preventing /opt/google/chrome/chrome-sandbox from 'write' accesses...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:970de26506863147140f7a67a03...
: 1193801 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-16 19:28 UTC by Mikhail
Modified: 2015-07-14 17:37 UTC (History)
42 users (show)

Fixed In Version: selinux-policy-3.13.1-105.19.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-14 15:50:14 UTC
Type: ---


Attachments (Terms of Use)

Description Mikhail 2013-01-16 19:28:38 UTC
Description of problem:
SELinux is preventing /opt/google/chrome/chrome-sandbox from 'write' accesses on the file oom_adj.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chrome-sandbox should be allowed write access on the oom_adj file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                oom_adj [ file ]
Source                        chrome-sandbox
Source Path                   /opt/google/chrome/chrome-sandbox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           google-chrome-unstable-26.0.1384.2-176931.i386
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-69.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.2-201.fc18.i686.PAE #1 SMP Fri
                              Jan 11 22:30:06 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-01-17 01:28:03 YEKT
Last Seen                     2013-01-17 01:28:03 YEKT
Local ID                      410c7744-0651-446e-88e2-5063f81d016b

Raw Audit Messages
type=AVC msg=audit(1358364483.55:1171): avc:  denied  { write } for  pid=14578 comm="chrome-sandbox" name="oom_adj" dev="proc" ino=2878910 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file


type=SYSCALL msg=audit(1358364483.55:1171): arch=i386 syscall=openat success=no exit=EACCES a0=3 a1=804a567 a2=8001 a3=0 items=0 ppid=31129 pid=14578 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=pts1 comm=chrome-sandbox exe=/opt/google/chrome/chrome-sandbox subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome-sandbox,chrome_sandbox_t,unconfined_t,file,write

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t unconfined_t:file write;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t unconfined_t:file write;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.2-201.fc18.i686.PAE
type:           libreport

Comment 1 Mikhail 2013-01-16 19:30:54 UTC
Run AirMech game in Google Chrome

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 2 Mikhail 2013-02-23 13:43:01 UTC
Any updates?

Comment 3 Daniel Walsh 2013-02-28 16:14:03 UTC
Well this is a tough problem.  Since I am not sure we want the confined process to be allowed to modify its parent process information.  on the other hand I think the gnome-sandbox is saying pick me

Comment 4 Daniel Walsh 2013-02-28 16:14:27 UTC
pick me for oom killing.

Comment 5 Fedora End Of Life 2013-12-21 10:25:55 UTC
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Fedora End Of Life 2014-02-05 14:57:12 UTC
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 7 Ian Pilcher 2015-04-30 18:20:17 UTC
Re-opening, as this appears to have become worse with recent Chrome versions (currently running google-chrome-stable-42.0.2311.135-1.x86_64).  It looks like I get this every time I open a new tab (and telling the alert browser to ignore it doesn't seem to work).

Would it be possible to get a dontaudit rule that can be enabled with a boolean?

Comment 8 mystilleef 2015-05-01 16:11:30 UTC
Description of problem:
Launch the latest stable version of Google Chrome

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 9 Andrey Shedko 2015-05-05 20:18:19 UTC
Description of problem:
normal use

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 10 Santiago Lunar 2015-05-09 11:23:32 UTC
Description of problem:
Al ejecutar el navegador apareció la alerta de SELinux

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 11 Lucas Farias 2015-05-09 12:38:42 UTC
Description of problem:
O SELinux detecta este problema todas as vezes que o Google Chrome é iniciado.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 12 mr.vm 2015-05-10 01:47:37 UTC
Description of problem:
Problemas entre google-chrome y netflix

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.i686
type:           libreport

Comment 13 Miroslav Grepl 2015-05-12 09:54:07 UTC
*** Bug 1193801 has been marked as a duplicate of this bug. ***

Comment 14 Abhay Kadam 2015-05-20 13:22:24 UTC
Description of problem:
just install Chrome, and opened it for first time...

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.7-200.fc21.x86_64
type:           libreport

Comment 15 Sergey 2015-05-23 07:19:21 UTC
Description of problem:
I open my chrome browser for reab my cisco courses on 127.0.0.1. When I open chrome after closed firefox this error come.

Thanks.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Comment 16 Santiago Lunar 2015-05-24 12:13:31 UTC
Description of problem:
Sólo abrí el Google Chrome

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Comment 17 Ricardo Ramos 2015-05-24 23:23:10 UTC
Description of problem:
Cada vez que abro google chrome sale este error.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.7-200.fc21.x86_64
type:           libreport

Comment 18 lwswllw 2015-05-25 18:11:47 UTC
Description of problem:
SELinux is preventing chrome-sandbox from write access on the file oom_score_adj.

Plugin: catchall 
you want to allow chrome-sandbox to have write access on the oom_score_adj fileIf you believe that chrome-sandbox should be allowed write access on the oom_score_adj file by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.i686
type:           libreport

Comment 19 Igor Vucenovic 2015-06-01 17:27:01 UTC
Description of problem:
After start Chrome browser.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 20 Erika 2015-06-02 01:30:28 UTC
Description of problem:
ELinux is preventing chrome-sandbox from write access on the file oom_adj.

*****  Plugin chrome (98.5 confidence) suggests   ****************************

If usted desea usar el paquete plugin
Then debe apagar los controles SELinuxsobre los plugins Chrome.
Do
# setsebool -P unconfined_chrome_sandbox_transition 0

*****  Plugin catchall (2.46 confidence) suggests   **************************

If cree que de manera predeterminada, chrome-sandbox debería permitir acceso write sobre  oom_adj file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                oom_adj [ file ]
Source                        chrome-sandbox
Source Path                   chrome-sandbox
Port                          <Unknown>
Host                          larissa-pc.local
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     larissa-pc.local
Platform                      Linux larissa-pc.local 3.17.7-300.fc21.x86_64 #1
                              SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64
Alert Count                   30
First Seen                    2015-06-01 20:58:30 AST
Last Seen                     2015-06-01 21:05:45 AST
Local ID                      349361f4-d69a-4c97-8565-cbf6fad14708

Raw Audit Messages
type=AVC msg=audit(1433207145.171:553): avc:  denied  { write } for  pid=3189 comm="chrome-sandbox" name="oom_adj" dev="proc" ino=40152 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=0


Hash: chrome-sandbox,chrome_sandbox_t,unconfined_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.7-300.fc21.x86_64
type:           libreport

Comment 21 Brian J. Murrell 2015-06-04 10:46:37 UTC
Yes, given that this is worse now, happening with each tab opening, can we get some movement on it?

Comment 22 Jobava 2015-06-08 16:22:41 UTC
Description of problem:
Problem appears to be related to youtube

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.x86_64
type:           libreport

Comment 23 mov_ebpesp 2015-06-08 16:39:05 UTC
Description of problem:
Opened Chrome with default tabs.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.x86_64
type:           libreport

Comment 24 Miroslav Grepl 2015-06-17 10:51:35 UTC
Lukas,
could you back port fixes from F22.

Comment 25 Eslam 2015-06-18 15:34:02 UTC
Description of problem:
After opened chrome a massege appears VLC bug

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.x86_64
type:           libreport

Comment 26 Diego Perini 2015-06-21 13:38:18 UTC
Description of problem:
Launching Chrome 43

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.5-200.fc21.x86_64
type:           libreport

Comment 27 Diego Perini 2015-06-21 13:40:48 UTC
Description of problem:
SELinux is preventing chrome-sandbox from write access on the file oom_adj.

Plugin: chrome 
si vuole usare il pacchetto %sSe si vuole usare il pacchetto plugin
disabilitare i controlli SELinux sui plugin di Chrome.
# setsebool -P unconfined_chrome_sandbox_transition 0

Plugin: catchall 
you want to allow chrome-sandbox to have write access on the oom_adj fileSe si crede che chrome-sandbox dovrebbe avere possibilità di accesso write sui oom_adj file in modo predefinito.
Si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Consentire questo accesso per il momento eseguendo:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.5-200.fc21.x86_64
type:           libreport

Comment 28 Michael Kürschner 2015-06-21 19:48:22 UTC
Description of problem:
start of google chrome browser

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.x86_64
type:           libreport

Comment 29 Lukas Vrabec 2015-06-23 15:00:34 UTC
commit 8509671a99a0fa6b8eff15666fee7b60c8a1752b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue May 12 11:42:53 2015 +0200

    Dontaudit use console for chrome-sandbox. BZ(1216087)

commit 5886bba0c6262619e08be29000bc82b78d66ce58
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed May 13 13:11:46 2015 +0200

    Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)

Comment 30 Fedora Update System 2015-06-24 12:28:48 UTC
selinux-policy-3.13.1-105.18.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.18.fc21

Comment 31 James A Jaworski 2015-06-24 23:09:31 UTC
Description of problem:
Error occurs when initially opening Google Chrome ver. 43.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Comment 32 Fedora Update System 2015-06-25 08:22:26 UTC
Package selinux-policy-3.13.1-105.18.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.18.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10708/selinux-policy-3.13.1-105.18.fc21
then log in and leave karma (feedback).

Comment 33 Laurent Rineau 2015-06-28 16:32:23 UTC
Description of problem:
I just launched Chrome. It opened without any tab: no web page was displayed.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.7-200.fc21.x86_64
type:           libreport

Comment 34 Fedora Update System 2015-06-30 07:31:17 UTC
selinux-policy-3.13.1-105.19.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.19.fc21

Comment 35 Laurent Rineau 2015-06-30 08:34:16 UTC
Description of problem:
I launched Chrome and opened one page. Then I got 13 AVC, all the same.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.5-200.fc21.x86_64
type:           libreport

Comment 36 shgysk8zer0 2015-07-02 04:00:38 UTC
Description of problem:
1. Open Chrome (In my case, from "Chrome App Launcher").

Occuring since first installed, though I do not recall if it was identical.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.6-200.fc21.x86_64
type:           libreport

Comment 37 Fedora Update System 2015-07-14 15:50:14 UTC
selinux-policy-3.13.1-105.19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.