3 p.m.
FC13/KDE
setroubleshoot: SELinux is preventing
/usr/lib64/chromium-browser/chrome-sandbox "net_raw" access . For
complete SELinux messages. run sealert -l
68797c25-9748-4ab8-b020-f63a80f543a7
I run the sealert -l 68797c25-9748-4ab8-b020-f63a80f543a7 and that
doesn't stop error message.
In about a hour and a half I get the same error message.
12:27 p.m.
OK thanks - the question that then may be begged is when
will f12 get
a .33 kernel I wonder?
--
Seems that it would seem *not possible* at this point given the trends that Fedora has
been following :(
kernel.org kernel is at 2.6.35.2 already, Fedora 12 has a 2.6.32.16? or so modified
kernel, maybe a
2.6.32.50 kernel seems a better prediction than a 2.6.33.X kernel much less a 2.6.35 or
2.6.36 kernel :( [1], [2], [3] and [4]
Regards,
Antonio
[1] Yes, I know that Fedora takes great care to ensure that many drivers are working and
patched, the newer kernels introduce newer bugs and kill working drivers like
nouveau,radeon,..., etc and moving to these new kernels will not add anything but
problems?
[2] Fedora 13 is still at 2.6.33.X kernels and not 2.6.34.X or 2.6.35.2 or so current
kernels.
[3] If you want a Fedora kernel, check koji or test repo's for the latest and
greatest offerings from Fedora or
[4] Get an official kernel from kernel.org and build/compile on your own, but at your own
risk and you will assume the consequences on your own.
11:53 a.m.
On Sat, Aug 14, 2010 at 10:35 AM, Andrew Haley <aph(a)redhat.com> wrote:
On 08/13/2010 09:24 PM, mike cloaked wrote:
>
> Has anyone found a solution yet?
I'm not sure there's any need for a solution, since Chromium retries without
the raw socket.
See https://bugzilla.redhat.com/show_bug.cgi?id=598796
OK thanks - the question that then may be begged is when will f12 get
a .33 kernel I wonder?
--
mike c
4:45 a.m.
Why does a web browser need raw socket access?
Raw sockets are for creating your own protocols on top of IP - that
is, alternatives to TCP and UDP.
It's also for protocols that don't normally offer userspace APIs. One
way to implement ping is to use a raw socket tp send and receive ICMP
packets.
All a web browser should require is TCP and DNS!
Don Quixote
--
Don Quixote de la Mancha
quixote(a)dulcineatech.com
http://www.dulcineatech.com
Dulcinea Technologies Corporation: Software of Elegance and Beauty.
3:58 p.m.
On 06/17/2010 04:33 PM, Marko Vojinovic wrote:
On Thursday, June 17, 2010 21:00:41 Jim wrote:
> FC13/KDE
>
> setroubleshoot: SELinux is preventing
> /usr/lib64/chromium-browser/chrome-sandbox "net_raw" access . For
> complete SELinux messages. run sealert -l
> 68797c25-9748-4ab8-b020-f63a80f543a7
>
> I run the sealert -l 68797c25-9748-4ab8-b020-f63a80f543a7 and that
> doesn't stop error message.
>
What did sealert actually say?
The sealert command is not meant to fix the problem but to give you human-
readable information about what went wrong and eventually a suggestion how to
fix it.
What you should do is to post the output of that sealert command for people
here to see and comment.
HTH, :-)
Marko
sealert -l 68797c25-9748-4ab8-b020-f63a80f543a7
Summary:
SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "net_raw"
access .
Detailed Description:
[chrome-sandbox has a permissive type (chrome_sandbox_t). This access
was not
denied.]
SELinux denied access requested by chrome-sandbox. It is not expected
that this
access is required by chrome-sandbox and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context
unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context
unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Objects None [ capability ]
Source chrome-sandbox
Source Path /usr/lib64/chromium-browser/chrome-sandbox
Port <Unknown>
Host acer64
Source RPM Packages chromium-6.0.425.0-1.20100603svn48849.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-116.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name acer64
Platform Linux acer64 2.6.32.14-127.fc12.x86_64 #1
SMP Fri
May 28 04:30:39 UTC 2010 x86_64 x86_64
Alert Count 12
First Seen Tue Jun 15 12:08:56 2010
Last Seen Thu Jun 17 16:32:38 2010
Local ID 68797c25-9748-4ab8-b020-f63a80f543a7
Line Numbers
Raw Audit Messages
node=acer64 type=AVC msg=audit(1276806758.286:28555): avc: denied {
net_raw } for pid=12701 comm="chrome-sandbox" capability=13
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tclass=capability
node=acer64 type=SYSCALL msg=audit(1276806758.286:28555): arch=c000003e
syscall=56 success=yes exit=12702 a0=60020011 a1=0 a2=0 a3=0 items=0
ppid=12699 pid=12701 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox"
exe="/usr/lib64/chromium-browser/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
3:33 p.m.
On Thursday, June 17, 2010 21:00:41 Jim wrote:
FC13/KDE
setroubleshoot: SELinux is preventing
/usr/lib64/chromium-browser/chrome-sandbox "net_raw" access . For
complete SELinux messages. run sealert -l
68797c25-9748-4ab8-b020-f63a80f543a7
I run the sealert -l 68797c25-9748-4ab8-b020-f63a80f543a7 and that
doesn't stop error message.
What did sealert actually say?
The sealert command is not meant to fix the problem but to give you human-
readable information about what went wrong and eventually a suggestion how to
fix it.
What you should do is to post the output of that sealert command for people
here to see and comment.
HTH, :-)
Marko
3:23 p.m.
On 06/17/2010 04:00 PM, Jim wrote:
FC13/KDE
setroubleshoot: SELinux is preventing
/usr/lib64/chromium-browser/chrome-sandbox "net_raw" access . For
complete SELinux messages. run sealert -l
68797c25-9748-4ab8-b020-f63a80f543a7
I run the sealert -l 68797c25-9748-4ab8-b020-f63a80f543a7 and that
doesn't stop error message.
In about a hour and a half I get the same error message.
We know about it but do not know what is going on. We definitely do not
want to allow the chrome-sandbox raw access to your network.
If you want to shut it up, you can use audit2allow to create a module to
dontaudit it.
# grep net_raw /var/log/audit/audit.log | audit2allow -D -M mychrome
# semodule -i mycrhome.pp
12:12 p.m.
On Sat, Aug 14, 2010 at 5:53 PM, mike cloaked <mike.cloaked(a)gmail.com> wrote:
On Sat, Aug 14, 2010 at 10:35 AM, Andrew Haley <aph(a)redhat.com>
wrote:
> On 08/13/2010 09:24 PM, mike cloaked wrote:
>>
>> Has anyone found a solution yet?
>
> I'm not sure there's any need for a solution, since Chromium retries without
> the raw socket.
>
> See https://bugzilla.redhat.com/show_bug.cgi?id=598796
OK thanks - the question that then may be begged is when will f12 get
a .33 kernel I wonder?
Just tested on a laptop with f13 - this problem does not occur - so
maybe you are right and we need .33 in f12!
--
mike c
4:35 a.m.
On 08/13/2010 09:24 PM, mike cloaked wrote:
Has anyone found a solution yet?
I'm not sure there's any need for a solution, since Chromium retries without
the raw socket.
See https://bugzilla.redhat.com/show_bug.cgi?id=598796
Andrew.
3:24 p.m.
On Thu, Jun 17, 2010 at 9:58 PM, Jim <mickeyboa(a)sbcglobal.net> wrote:
On 06/17/2010 04:33 PM, Marko Vojinovic wrote:
> On Thursday, June 17, 2010 21:00:41 Jim wrote:
>
>> FC13/KDE
>>
>> setroubleshoot: SELinux is preventing
>> /usr/lib64/chromium-browser/chrome-sandbox "net_raw" access . For
>> complete SELinux messages. run sealert -l
>> 68797c25-9748-4ab8-b020-f63a80f543a7
I just came back from a holiday and had the new
google-chrome-beta-6.0.472.33-55501.i386 in an F12 box, and I find
that as soon as I start up chrome I am getting what seems to the the
same avc:
Summary:
SELinux is preventing /opt/google/chrome/chrome-sandbox "net_raw" access .
Detailed Description:
[chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not
denied.]
SELinux denied access requested by chrome-sandbox. It is not expected that this
access is required by chrome-sandbox and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Objects None [ capability ]
Source chrome-sandbox
Source Path /opt/google/chrome/chrome-sandbox
Port <Unknown>
Host home1.mdc.sapience.com
Source RPM Packages google-chrome-beta-6.0.472.33-55501
Target RPM Packages
Policy RPM selinux-policy-3.6.32-118.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name xxx.xxx.xxx.com
Platform Linux xxx.xxx.xxx.com
2.6.32.16-150.fc12.i686.PAE #1 SMP Sat Jul 24
05:25:42 UTC 2010 i686 i686
Alert Count 3
First Seen Fri 13 Aug 2010 07:50:31 PM BST
Last Seen Fri 13 Aug 2010 09:16:47 PM BST
Local ID 81e1f781-9dbd-4dbf-926b-b6334a67aac6
Line Numbers
Raw Audit Messages
node=xxx.xxx.xxx.com type=AVC msg=audit(1281730607.936:35598): avc:
denied { net_raw } for pid=32256 comm="chrome-sandbox" capability=13
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tclass=capability
node=xxx.xxx.xxx.com type=SYSCALL msg=audit(1281730607.936:35598):
arch=40000003 syscall=120 success=yes exit=32257 a0=60020011 a1=0 a2=0
a3=0 items=0 ppid=32252 pid=32256 auid=500 uid=500 gid=500 euid=0
suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=76
comm="chrome-sandbox" exe="/opt/google/chrome/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
key=(null)
Has anyone found a solution yet?
Thanks
--
mike c
5004
days inactive
5062
days old
9 comments
7 participants
participants (7)
-
Andrew Haley -
Antonio Olivares -
Daniel J Walsh -
Don Quixote de la Manvha -
Jim -
Marko Vojinovic -
mike cloaked