SELinux and google-chrome "Aw, Snap!" crashes
John Austin
ja at jaa.org.uk
Thu Sep 16 10:02:57 UTC 2010
On Wed, 2010-09-15 at 08:53 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/15/2010 04:39 AM, John Austin wrote:
> > Hi
> >
> > I have a fully updated F13 (64bit) machines using
> > google-chrome 6.0.472.55 beta
> >
> > With SELinux in Enforcing mode
> >
> > google-chrome will crash leaving no error messages in dmesg
> > or /var/log/messages or in the terminal if run from the command line
> > (to be exact - only the startup messages shown below)
> > No Selinux problems are shown by SElinux Troubleshooter
> >
> > Just the "Aw, Snap!" page is shown
> > "Something went wrong while displaying this webpage"
> > No keys, mouse buttons do anything useful within the display area.
> > Selecting "Learn more" repaints the "Aw, Snap!" page.
> > The outer window is active ie bookmarks, options can be accessed
> > but the "display area" will not reload anything other than "Aw, Snap!"
> > The top right "kill window X" does indeed kill the window
> >
> > The site I have been using for testing is
> > http://www.justtheflight.co.uk/
> >
> > Type in "gat" into the "Departing from" and selecting
> > London Gatwick
> > causes the crash
> >
> > Switching SElinux to permissive mode DOES NOT crash the above site!
> > but SElinux Troubleshooter shows no problems.
> >
> > As far as I remember the only things I have changed in SElinux
> > were a couple of settings that were to do with my home
> > directories being on NFS mounts.
> >
> > I have fiddled with almost all of the google-chrome option settings etc
> > Also searched the web. Found many references to "Aw, Snap!" but
> > could not see anything that might help.
> >
> > Has anyone else seen this problem?
> > Advice as to how to debug further very welcome
> >
> > John
> >
> > Running in a terminal gives
> > milos ~ 1# google-chrome
> > /usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
> > /usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
> > /opt/google/chrome/chrome: /lib64/libz.so.1: no version information available (required by /opt/google/chrome/chrome)
> > /opt/google/chrome/chrome: /lib64/libz.so.1: no version information available (required by /opt/google/chrome/chrome)
> >
> >
> >
> >
> >
> Well first off I would never run a web browser as root.
>
> You could try to disable the dontaudit rules and see it we are covering
> up something that could be breaking it.
>
>
> # semodule -DB
>
> Run google-chrome as a normal user.
> > google-chrome
>
> Turn the dontaudit rules back on
> # semodule -B
> # ausearch -m avc -ts recent
Hi
Many thanks for the reply
(The non-root # is from a different era - HPUX or Solaris maybe
google-chrome was being run as a normal user)
You have goaded me into changing my prompts!
I have carried out the commands as requested but have no real idea
what they mean !!
[root at milos ~]# semodule -DB
ja at milos 8$ google-chrome
/usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
/usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
/opt/google/chrome/chrome: /lib64/libz.so.1: no version information available (required by /opt/google/chrome/chrome)
/opt/google/chrome/chrome: /lib64/libz.so.1: no version information available (required by /opt/google/chrome/chrome)
I crashed out GC using the original "justtheflight" site
[root at milos ~]# semodule -B
[root at milos ~]# ausearch -m avc -ts recent > ausearch_dump
ausearch_dump shows entries of the form shown below, 691 of them!
I attach the complete file for reference
Thanks again for the interest
John
I will reply to JB separately
time->Thu Sep 16 08:59:57 2010
type=SYSCALL msg=audit(1284623997.534:2715): arch=c000003e syscall=2 success=no exit=-13 a0=7feba9d3a130 a1=90800 a2=1 a3=0 items=0 ppid=1 pid=1793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1284623997.534:2715): avc: denied { search } for pid=1793 comm="dbus-daemon" name="root" dev=sda6 ino=1179649 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Thu Sep 16 08:59:57 2010
type=SYSCALL msg=audit(1284623997.534:2716): arch=c000003e syscall=254 success=yes exit=4294967424 a0=6 a1=7feba9d312b0 a2=2c8 a3=1b items=0 ppid=1 pid=1793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1284623997.534:2716): avc: denied { search } for pid=1793 comm="dbus-daemon" name="root" dev=sda6 ino=1179649 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Thu Sep 16 08:59:57 2010
type=SYSCALL msg=audit(1284623997.543:2718): arch=c000003e syscall=59 success=yes exit=0 a0=7eff741b3a60 a1=7eff81b226d0 a2=0 a3=31 items=0 ppid=21796 pid=21805 auid=202 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1284623997.543:2718): avc: denied { noatsecure } for pid=21805 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1284623997.543:2718): avc: denied { siginh } for pid=21805 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1284623997.543:2718): avc: denied { rlimitinh } for pid=21805 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Sep 16 09:00:00 2010
type=SYSCALL msg=audit(1284624000.825:2720): arch=c000003e syscall=2 success=no exit=-13 a0=7fff82116bc0 a1=0 a2=0 a3=ffffffff items=0 ppid=0 pid=21811 auid=202 uid=202 gid=17 euid=202 suid=202 fsuid=202 egid=17 sgid=17 fsgid=17 tty=pts1 ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1284624000.825:2720): avc: denied { search } for pid=21811 comm="chrome" name="ja" dev=0:19 ino=784897 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
----
time->Thu Sep 16 09:00:00 2010
type=SYSCALL msg=audit(1284624000.825:2721): arch=c000003e syscall=2 success=no exit=-13 a0=7fff82116bc0 a1=0 a2=0 a3=ffffffff items=0 ppid=0 pid=21811 auid=202 uid=202 gid=17 euid=202 suid=202 fsuid=202 egid=17 sgid=17 fsgid=17 tty=pts1 ses=1 comm="chrome" exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1284624000.825:2721): avc: denied { search } for pid=21811 comm="chrome" name="ja" dev=0:19 ino=784897 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
More information about the users
mailing list