955819 – SELinux is preventing /opt/google/chrome/chrome-sandbox from 'append' accesses on the unix_stream_socket unix_stream_socket.

Bug 955819 - SELinux is preventing /opt/google/chrome/chrome-sandbox from 'append' accesses on the unix_stream_socket unix_stream_socket.

Summary: SELinux is preventing /opt/google/chrome/chrome-sandbox from 'append' accesse...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:e21a870b188fed1d71d699b3cbe...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-23 23:15 UTC by Alexey I. Froloff
Modified:	2013-04-27 23:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-04-27 23:53:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexey I. Froloff 2013-04-23 23:15:13 UTC

Description of problem:
This happens when chrome (dev) is started.
SELinux is preventing /opt/google/chrome/chrome-sandbox from 'append' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore chrome-sandbox trying to append access the unix_stream_socket unix_stream_socket, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /opt/google/chrome/chrome-sandbox /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that chrome-sandbox should be allowed append access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        chrome-sandbox
Source Path                   /opt/google/chrome/chrome-sandbox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           google-chrome-unstable-28.0.1485.0-195393.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.8-202.fc18.x86_64 #1 SMP Wed
                              Apr 17 23:25:17 UTC 2013 x86_64 x86_64
Alert Count                   1662
First Seen                    2013-04-04 15:03:27 MSK
Last Seen                     2013-04-24 02:46:30 MSK
Local ID                      39c33839-82b9-40ff-bc87-d7f986590ec9

Raw Audit Messages
type=AVC msg=audit(1366757190.190:1241): avc:  denied  { append } for  pid=4362 comm="chrome-sandbox" path="socket:[22017]" dev="sockfs" ino=22017 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=AVC msg=audit(1366757190.190:1241): avc:  denied  { append } for  pid=4362 comm="chrome-sandbox" path="socket:[22017]" dev="sockfs" ino=22017 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1366757190.190:1241): arch=x86_64 syscall=execve success=yes exit=0 a0=7f1758a69558 a1=3ab750d4dc60 a2=7f1758a7ba80 a3=7f1752acd040 items=0 ppid=3112 pid=4362 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=chrome-sandbox exe=/opt/google/chrome/chrome-sandbox subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome-sandbox,chrome_sandbox_t,unconfined_t,unix_stream_socket,append

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t unconfined_t:unix_stream_socket append;

audit2allow -R
require {
	type unconfined_t;
	type chrome_sandbox_t;
	class unix_stream_socket append;
}

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t unconfined_t:unix_stream_socket append;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.8-202.fc18.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-04-24 13:35:11 UTC

Fixed in F19 and back ported to F18.

Comment 2 Fedora Update System 2013-04-26 13:06:23 UTC

selinux-policy-3.11.1-92.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-92.fc18

Comment 3 Fedora Update System 2013-04-27 00:16:49 UTC

Package selinux-policy-3.11.1-92.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-92.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6769/selinux-policy-3.11.1-92.fc18
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2013-04-27 23:53:40 UTC

selinux-policy-3.11.1-92.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.