Re: Selinux beating up on Chromium

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jun 17, 2010 at 9:58 PM, Jim <mickeyboa@xxxxxxxxxxxxx> wrote:
> On 06/17/2010 04:33 PM, Marko Vojinovic wrote:
>> On Thursday, June 17, 2010 21:00:41 Jim wrote:
>>
>>> FC13/KDE
>>>
>>> setroubleshoot: SELinux is preventing
>>> /usr/lib64/chromium-browser/chrome-sandbox "net_raw" access . For
>>> complete SELinux messages. run sealert -l
>>> 68797c25-9748-4ab8-b020-f63a80f543a7

I just came back from a holiday and had the new
google-chrome-beta-6.0.472.33-55501.i386 in an F12 box, and I find
that as soon as I start up chrome I am getting what seems to the the
same avc:

Summary:

SELinux is preventing /opt/google/chrome/chrome-sandbox "net_raw" access .

Detailed Description:

[chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not
denied.]

SELinux denied access requested by chrome-sandbox. It is not expected that this
access is required by chrome-sandbox and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                None [ capability ]
Source                        chrome-sandbox
Source Path                   /opt/google/chrome/chrome-sandbox
Port                          <Unknown>
Host                          home1.mdc.sapience.com
Source RPM Packages           google-chrome-beta-6.0.472.33-55501
Target RPM Packages
Policy RPM                    selinux-policy-3.6.32-118.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     xxx.xxx.xxx.com
Platform                      Linux xxx.xxx.xxx.com
                              2.6.32.16-150.fc12.i686.PAE #1 SMP Sat Jul 24
                              05:25:42 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Fri 13 Aug 2010 07:50:31 PM BST
Last Seen                     Fri 13 Aug 2010 09:16:47 PM BST
Local ID                      81e1f781-9dbd-4dbf-926b-b6334a67aac6
Line Numbers

Raw Audit Messages

node=xxx.xxx.xxx.com type=AVC msg=audit(1281730607.936:35598): avc:
denied  { net_raw } for  pid=32256 comm="chrome-sandbox" capability=13
 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tclass=capability

node=xxx.xxx.xxx.com type=SYSCALL msg=audit(1281730607.936:35598):
arch=40000003 syscall=120 success=yes exit=32257 a0=60020011 a1=0 a2=0
a3=0 items=0 ppid=32252 pid=32256 auid=500 uid=500 gid=500 euid=0
suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=76
comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
key=(null)

Has anyone found a solution yet?

Thanks

-- 
mike c
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux