Re: Selinux beating up on Chromium

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/17/2010 04:33 PM, Marko Vojinovic wrote:
> On Thursday, June 17, 2010 21:00:41 Jim wrote:
>    
>> FC13/KDE
>>
>> setroubleshoot: SELinux is preventing
>> /usr/lib64/chromium-browser/chrome-sandbox "net_raw" access . For
>> complete SELinux messages. run sealert -l
>> 68797c25-9748-4ab8-b020-f63a80f543a7
>>
>> I run the sealert -l 68797c25-9748-4ab8-b020-f63a80f543a7 and that
>> doesn't stop error message.
>>      
> What did sealert actually say?
>
> The sealert command is not meant to fix the problem but to give you human-
> readable information about what went wrong and eventually a suggestion how to
> fix it.
>
> What you should do is to post the output of that sealert command for people
> here to see and comment.
>
> HTH, :-)
> Marko
>
>    
sealert -l 68797c25-9748-4ab8-b020-f63a80f543a7

Summary:

SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "net_raw"
access .

Detailed Description:

[chrome-sandbox has a permissive type (chrome_sandbox_t). This access 
was not
denied.]

SELinux denied access requested by chrome-sandbox. It is not expected 
that this
access is required by chrome-sandbox and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration 
of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                
unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                               0.c1023
Target Context                
unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                               0.c1023
Target Objects                None [ capability ]
Source                        chrome-sandbox
Source Path                   /usr/lib64/chromium-browser/chrome-sandbox
Port <Unknown>
Host                          acer64
Source RPM Packages           chromium-6.0.425.0-1.20100603svn48849.fc12
Target RPM Packages
Policy RPM                    selinux-policy-3.6.32-116.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     acer64
Platform                      Linux acer64 2.6.32.14-127.fc12.x86_64 #1 
SMP Fri
                               May 28 04:30:39 UTC 2010 x86_64 x86_64
Alert Count                   12
First Seen                    Tue Jun 15 12:08:56 2010
Last Seen                     Thu Jun 17 16:32:38 2010
Local ID                      68797c25-9748-4ab8-b020-f63a80f543a7
Line Numbers

Raw Audit Messages

node=acer64 type=AVC msg=audit(1276806758.286:28555): avc:  denied  { 
net_raw } for  pid=12701 comm="chrome-sandbox" capability=13  
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 
tclass=capability

node=acer64 type=SYSCALL msg=audit(1276806758.286:28555): arch=c000003e 
syscall=56 success=yes exit=12702 a0=60020011 a1=0 a2=0 a3=0 items=0 
ppid=12699 pid=12701 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" 
exe="/usr/lib64/chromium-browser/chrome-sandbox" 
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux