960792 – (chromelog) SELinux is preventing /opt/google/chrome/chrome from 'create' accesses on the file libpeerconnection.log.

Bug 960792 (chromelog) - SELinux is preventing /opt/google/chrome/chrome from 'create' accesses on the file libpeerconnection.log.

Summary: SELinux is preventing /opt/google/chrome/chrome from 'create' accesses on the...

Keywords:
Status:	CLOSED NOTABUG
Alias:	chromelog
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:fb1d799747ec487b476427d74cb...
Duplicates (9):	960956 967120 975393 978610 979640 981536 981621 986562 1083593 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-08 02:22 UTC by Mikhail
Modified:	2014-04-02 14:14 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-05-12 11:04:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mikhail 2013-05-08 02:22:22 UTC

Description of problem:
SELinux is preventing /opt/google/chrome/chrome from 'create' accesses on the file libpeerconnection.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chrome should be allowed create access on the libpeerconnection.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                libpeerconnection.log [ file ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           google-chrome-unstable-28.0.1500.3-198635.i386
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-42.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.0-301.fc19.i686.PAE #1 SMP Mon
                              Apr 29 13:55:54 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-05-08 08:08:33 YEKT
Last Seen                     2013-05-08 08:08:33 YEKT
Local ID                      a69213ce-ff03-4f22-8654-711324d0a39d

Raw Audit Messages
type=AVC msg=audit(1367978913.148:462): avc:  denied  { create } for  pid=2054 comm="chrome" name="libpeerconnection.log" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file


type=SYSCALL msg=audit(1367978913.148:462): arch=i386 syscall=open success=no exit=EACCES a0=b86191bc a1=8441 a2=1b6 a3=b863eb00 items=0 ppid=0 pid=2054 auid=1000 uid=1000 gid=0 euid=1000 suid=1000 fsuid=1000 egid=0 sgid=0 fsgid=0 ses=1 tty=pts1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,user_home_dir_t,file,create

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t user_home_dir_t:file create;

audit2allow -R
require {
	type chrome_sandbox_t;
	type user_home_dir_t;
	class file create;
}

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t user_home_dir_t:file create;


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.0-301.fc19.i686.PAE
type:           libreport

Comment 1 Alexey I. Froloff 2013-05-08 11:28:21 UTC

Happens with google-chrome-unstable-28.0.1500.3-198635.x86_64

May be caused by upstream commiit http://git.chromium.org/gitweb/?p=chromium.git;a=commitdiff;h=57102aee28d22b6abd8356ed6959c915e7d5301e
File third_party/libjingle/overrides/initialize_module.cc

Comment 2 Daniel Walsh 2013-05-08 14:24:51 UTC

Can you open a bug with them to not clutter up the homedir, stuff like that should be put into ~/.cache

Preferably in ~/.cache/chrome

I have ~/.cache/chromium on my box.

Comment 3 Alexey I. Froloff 2013-05-08 14:47:07 UTC

Agreed.  I have ~/.cache/google-chrome for Chrome.  I don't even think that using log file is needed in this place...

https://code.google.com/p/chromium/issues/detail?id=239048

Comment 4 Daniel Walsh 2013-05-08 14:55:14 UTC

*** Bug 960956 has been marked as a duplicate of this bug. ***

Comment 5 Alexey I. Froloff 2013-05-12 10:35:18 UTC

Seems to be fixed in upstream by https://chromiumcodereview.appspot.com/14617016

Comment 6 Daniel Walsh 2013-05-12 10:59:05 UTC

Excellent,  SELinux is a pretty good bug detecting tool.  :^)

Comment 7 Elad Alfassa 2013-05-12 11:04:28 UTC

Closing as NOTABUG. SELinux has done its job well by preventing chrome from writing this file. I don't think we should change the policy on that regard.

Comment 8 Daniel Walsh 2013-06-04 20:26:29 UTC

*** Bug 967120 has been marked as a duplicate of this bug. ***

Comment 9 Daniel Walsh 2013-06-18 15:17:31 UTC

*** Bug 975393 has been marked as a duplicate of this bug. ***

Comment 10 Vasilis Keramidas 2013-06-19 08:55:21 UTC

Using the solution provided by the SELinux Alert Browser:

grep chrome /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

does not fix the problem.
Any recommendation on how to fix this, since a new policy will not be added to selinux-policy?

Comment 11 Alexey I. Froloff 2013-06-19 08:58:54 UTC

Just ignore this warning until chrome is updated.  Dev channel already contains fix, Beta and Stable may still have this issue.

Comment 12 Daniel Walsh 2013-06-27 14:44:05 UTC

*** Bug 978610 has been marked as a duplicate of this bug. ***

Comment 13 Daniel Walsh 2013-06-29 10:27:40 UTC

*** Bug 979640 has been marked as a duplicate of this bug. ***

Comment 14 Alex 2013-07-05 23:35:26 UTC

To temporarily solve the problem just edit the file:

/opt/google/chrome/google-chrome

and change the line before the command

exec-a "$ 0" "$ HERE / chrome" "$ @"

adding the line

cd /tmp

or any other directory where you want the file to be created.

Comment 15 Daniel Walsh 2013-07-08 18:59:45 UTC

*** Bug 981536 has been marked as a duplicate of this bug. ***

Comment 16 Daniel Walsh 2013-07-10 16:51:20 UTC

*** Bug 981621 has been marked as a duplicate of this bug. ***

Comment 17 Daniel Walsh 2013-07-21 11:14:10 UTC

*** Bug 986562 has been marked as a duplicate of this bug. ***

Comment 18 Lukas Vrabec 2014-04-02 14:14:33 UTC

*** Bug 1083593 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.