Description of problem: SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file . ***** Plugin chrome (85.2 confidence) suggests ***************************** If you want to use the plugin package Then you must turn off SELinux controls on the Chrome plugins. Do # setsebool unconfined_chrome_sandbox_transition 0 ***** Plugin catchall_boolean (14.0 confidence) suggests ******************* If you want to allow use to fusefs home dirs Then you must tell SELinux about this by enabling the 'use_fusefs_home_dirs' boolean. You can read 'None' man page for more details. Do setsebool -P use_fusefs_home_dirs 1 ***** Plugin catchall (2.19 confidence) suggests *************************** If you believe that chrome should be allowed read access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep Chrome_ChildIOT /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context system_u:object_r:fusefs_t:s0 Target Objects [ file ] Source Chrome_ChildIOT Source Path /opt/google/chrome/chrome Port <Unknown> Host (removed) Source RPM Packages google-chrome-stable-28.0.1500.71-209842.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-63.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.9-302.fc19.x86_64 #1 SMP Sat Jul 6 13:41:07 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-07-18 22:36:34 EEST Last Seen 2013-07-18 22:36:34 EEST Local ID 6d6e6820-46d8-4b49-b3ae-947fa0b1605c Raw Audit Messages type=AVC msg=audit(1374176194.284:516): avc: denied { read } for pid=2539 comm="Chrome_ChildIOT" path=2F72756E2F6D656469612F7079757269796368756B2F56414C56452F7661722F686F6D652FD094D0BED0BAD183D0BCD0B5D0BDD182D0B82F63757272656E742F456E676C6973682FD09CD0B0D182D0B5D180D196D0B0D0BBD0B820D0B4D0BE20D0B5D0BAD0B7D0B0D0BCD0B5D0BDD1832F446973736572746174696F6E732F68696C645F7068642E706466 dev="sdb1" ino=13086 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file type=SYSCALL msg=audit(1374176194.284:516): arch=x86_64 syscall=recvmsg success=yes exit=EPERM a0=12 a1=7f5287284360 a2=40 a3=0 items=0 ppid=6 pid=2539 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=Chrome_ChildIOT exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: Chrome_ChildIOT,chrome_sandbox_t,fusefs_t,file,read Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.5-201.fc19.x86_64 type: libreport Potential duplicate: bug 836435
You could turn on the boolean for this. I really do not want to allow chrome_sandbox to read any fusefs file systems ***** Plugin chrome (85.2 confidence) suggests ***************************** If you want to use the plugin package Then you must turn off SELinux controls on the Chrome plugins. Do # setsebool unconfined_chrome_sandbox_transition 0 ***** Plugin catchall_boolean (14.0 confidence) suggests ******************* If you want to allow use to fusefs home dirs Then you must tell SELinux about this by enabling the 'use_fusefs_home_dirs' boolean. You can read 'None' man page for more details. Do setsebool -P use_fusefs_home_dirs 1