Bug 909707 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox from read, append access on the file /home/adellam/.xsession-errors.
Summary: SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox from read, a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:4266cf8e1a87264c915aeade286...
: 909709 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-10 16:11 UTC by Andrea Dell'Amico
Modified: 2013-05-04 00:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-04 00:04:30 UTC
Type: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2013-02-10 16:11 UTC, Andrea Dell'Amico
no flags Details
File: hashmarkername (14 bytes, text/plain)
2013-02-10 16:11 UTC, Andrea Dell'Amico
no flags Details

Description Andrea Dell'Amico 2013-02-10 16:11:10 UTC
Description of problem:

It started happening after I encrypted my home directory with ecryptfs.


Additional info:
libreport version: 2.0.18
kernel:         3.7.3-101.fc17.x86_64

description:
:SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox from read, append access on the file /home/adellam/.xsession-errors.
:
:*****  Plugin restorecon (93.9 confidence) suggests  *************************
:
:If you want to fix the label. 
:/home/adellam/.xsession-errors default label should be xdm_home_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /home/adellam/.xsession-errors
:
:*****  Plugin leaks (6.10 confidence) suggests  ******************************
:
:If you want to ignore chrome-sandbox trying to read append access the .xsession-errors file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /usr/lib64/chromium-browser/chrome-sandbox /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (1.43 confidence) suggests  ***************************
:
:If you believe that chrome-sandbox should be allowed read append access on the .xsession-errors file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:ecryptfs_t:s0
:Target Objects                /home/adellam/.xsession-errors [ file ]
:Source                        chrome-sandbox
:Source Path                   /usr/lib64/chromium-browser/chrome-sandbox
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           chromium-23.0.1271.95-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-166.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.7.3-101.fc17.x86_64 #1 SMP Fri
:                              Jan 18 17:40:57 UTC 2013 x86_64 x86_64
:Alert Count                   2
:First Seen                    2013-02-10 16:56:26 CET
:Last Seen                     2013-02-10 16:56:26 CET
:Local ID                      1fc7cba2-882b-4132-a7b5-1b0148a298fe
:
:Raw Audit Messages
:type=AVC msg=audit(1360511786.249:455): avc:  denied  { read append } for  pid=9825 comm="chrome-sandbox" path="/home/adellam/.xsession-errors" dev="ecryptfs" ino=134217856 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file
:
:
:type=AVC msg=audit(1360511786.249:455): avc:  denied  { read append } for  pid=9825 comm="chrome-sandbox" path="/home/adellam/.xsession-errors" dev="ecryptfs" ino=134217856 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1360511786.249:455): arch=x86_64 syscall=execve success=yes exit=0 a0=7ff559e4cc48 a1=7ff55c0319f0 a2=7ff559e61d40 a3=7ff53502e710 items=0 ppid=8726 pid=9825 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=4 tty=(none) comm=chrome-sandbox exe=/usr/lib64/chromium-browser/chrome-sandbox subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
:
:Hash: chrome-sandbox,chrome_sandbox_t,ecryptfs_t,file,read,append
:
:audit2allow
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t ecryptfs_t:file { read append };
:
:audit2allow -R
:
:#============= chrome_sandbox_t ==============
:allow chrome_sandbox_t ecryptfs_t:file { read append };
:

Comment 1 Andrea Dell'Amico 2013-02-10 16:11:14 UTC
Created attachment 695812 [details]
File: type

Comment 2 Andrea Dell'Amico 2013-02-10 16:11:17 UTC
Created attachment 695813 [details]
File: hashmarkername

Comment 3 Miroslav Grepl 2013-02-11 12:50:39 UTC
*** Bug 909709 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2013-02-11 13:35:22 UTC
I am adding fixes.

Comment 5 Andrea Dell'Amico 2013-02-28 11:18:04 UTC
It happens when accessing a page that needs the flash plugin.


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)

Comment 6 Daniel Walsh 2013-02-28 18:03:35 UTC
This looks like a mislabeled homedir. Your homedir should not be labeled ecryptfs_t?

Comment 7 Andrea Dell'Amico 2013-03-01 12:49:40 UTC
This is what ecrypfs does when using it to encrypt the home directory.

My setup is the following:

/home is a separate partition, and /home/adellam is encrypted with ecryptfs. The procedure relabeled all the files, and a "restorecon -vR /home" doesn't find anything to fix.

Comment 8 Daniel Walsh 2013-03-01 15:26:09 UTC
Miroslav didn't some one else have this problem and we fixed it by adding a file labeling equivalence.

Andres if you run 

restorecon -R -v ~/

What happens?

Comment 9 Andrea Dell'Amico 2013-03-01 15:34:09 UTC

Absolutely nothing:

# restorecon -R -v ~adellam/
# 

The same if I run restorecon -R -v /home

Comment 10 Daniel Walsh 2013-03-01 19:28:54 UTC
ls -ldZ ~adellam

Comment 11 Andrea Dell'Amico 2013-03-01 21:35:19 UTC
ls -lZd /home/adellam
drwx------. adellam adellam system_u:object_r:ecryptfs_t:s0  /home/adellam/

Comment 12 Fedora Update System 2013-03-05 14:32:45 UTC
selinux-policy-3.10.0-168.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-168.fc17

Comment 13 Fedora Update System 2013-03-05 23:30:07 UTC
Package selinux-policy-3.10.0-168.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-168.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3466/selinux-policy-3.10.0-168.fc17
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2013-04-04 08:31:40 UTC
selinux-policy-3.10.0-169.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-169.fc17

Comment 15 Fedora Update System 2013-05-04 00:04:31 UTC
selinux-policy-3.10.0-169.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.