SELinux and google-chrome "Aw, Snap!" crashes
John Austin
ja at jaa.org.uk
Thu Sep 16 15:05:31 UTC 2010
On Thu, 2010-09-16 at 07:47 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/16/2010 06:04 AM, John Austin wrote:
> > On Wed, 2010-09-15 at 13:10 +0000, JB wrote:
> >> John Austin <ja <at> jaa.org.uk> writes:
> >>
> >>>
> >>> Hi
> >>>
> >>> I have a fully updated F13 (64bit) machines using
> >>> google-chrome 6.0.472.55 beta
> >>>
> >>> With SELinux in Enforcing mode
> >>>
> >>> google-chrome will crash leaving no error messages in dmesg
> >>> or /var/log/messages or in the terminal if run from the command line
> >>> (to be exact - only the startup messages shown below)
> >>> No Selinux problems are shown by SElinux Troubleshooter
> >>>
> >>> Just the "Aw, Snap!" page is shown
> >>> "Something went wrong while displaying this webpage"
> >>> No keys, mouse buttons do anything useful within the display area.
> >>> Selecting "Learn more" repaints the "Aw, Snap!" page.
> >>> The outer window is active ie bookmarks, options can be accessed
> >>> but the "display area" will not reload anything other than "Aw, Snap!"
> >>> The top right "kill window X" does indeed kill the window
> >>>
> >>> The site I have been using for testing is
> >>> http://www.justtheflight.co.uk/
> >>>
> >>> Type in "gat" into the "Departing from" and selecting
> >>> London Gatwick
> >>> causes the crash
> >>>
> >>> Switching SElinux to permissive mode DOES NOT crash the above site!
> >>> but SElinux Troubleshooter shows no problems.
> >>>
> >>> As far as I remember the only things I have changed in SElinux
> >>> were a couple of settings that were to do with my home
> >>> directories being on NFS mounts.
> >>>
> >>> I have fiddled with almost all of the google-chrome option settings etc
> >>> Also searched the web. Found many references to "Aw, Snap!" but
> >>> could not see anything that might help.
> >>>
> >>> Has anyone else seen this problem?
> >>> Advice as to how to debug further very welcome
> >>>
> >>> John
> >>>
> >>> Running in a terminal gives
> >>> milos ~ 1# google-chrome
> >>> /usr/bin/google-chrome: /lib64/libz.so.1: no version information available
> >> (required by /usr/bin/google-chrome)
> >>> /usr/bin/google-chrome: /lib64/libz.so.1: no version information available
> >> (required by /usr/bin/google-chrome)
> >>> /opt/google/chrome/chrome: /lib64/libz.so.1: no version information available
> >> (required by /opt/google/chrome/chrome)
> >>> /opt/google/chrome/chrome: /lib64/libz.so.1: no version information available
> >> (required by /opt/google/chrome/chrome)
> >>>
> >>
> >
> >
> > Many thanks for the reply
> > I have intermixed my feedback below
> >
> >> Hi,
> >> some remarks and hints.
> >>
> >> Make sure that you have the latest package (sometimes it gets updated every
> >> day):
> >> # yum list installed *chrome*
> >> # yum update *chrome*
> > Yes I updated to google-chrome-beta-6.0.472.59-59126.x86_64 yesterday -
> > no change
> >
> >>
> >> I noticed that you ran the browser from root prompt (#) - a Big NO-NO !
> > This was just an obsolete .bashrc/.bash_profile
> > The browser was not being run as root!
> >
> >>
> >> The "Aw, Snap!" problem has been reported since 2008 on all platforms (Win,
> >> Mac, Linux) under all circumstances. It seems to be a general error.
> >> So it is not related directly to SELinux, but it may be on your machine, in
> >> particular if your home dir is on NFS (timeouts, locks, and similar issues).
> > I am using NIS + autofs + NFS4 for home directories
> > Abstract from my F13_install "log"
> > If SElinux is enabled then it is necessary to use SELinux Management to
> > set
> > Boolean ssh allow host key authentication
> > if direct ssh from another machine is required.
> > Also
> > setsebool -P use_nfs_home_dirs
> >
> > I have tried adding a new local user on a client machine and the problem is not there
> > Not a definitive test as the new user will have different defaults.
> >
> > I have tried adding a new user to the server (Centos5.5) and logged into
> > the client - "justtheflight" crashes.
> >
> > This suggests that it is the NFS mount that is causing the problem
> > I have no idea why this should be!
> >
> > The new users should have "default" settings for the options below
> > I have not tested all these yet
> >
> > The sandbox does crash but the nosandbox does NOT - see below
> >>
> >> Some hints regarding browser config:
> >> - take a look at your config and change to default options for the time being
> >> Tools button
> >> Options
> >> Under the Hood:
> >> Content settings:
> >> JavaScript <--- allow all sites, no exceptions
> >> Plug-ins <--- allow all sites, no exceptions
> >> try all ON and all OFF
> >> Use DNS prefetching ... <--- test with ON and OFF
> >> Enable phishing and malware ... <--- test with ON and OFF
> >> Change proxy settings:
> >> Direct internet connection <--- yes, if you can
> >> Translate ... <--- turn it OFF
> >> - extensions
> >> Tools button - Tools - Extensions
> >> If you have any, try to disable them all,later one by one, then restart
> >> the browser and see what happens.
> >>
> >> Debugging:
> >> http://code.google.com/p/chromium/wiki/LinuxDebugging
> >> >From a terminal (gnome terminal, xterm, etc):
> >> $ CHROME_IPC_LOGGING=1 google-chrome --log-level=0 --enable-logging=stderr >&
> >> .chrom.log http://www.justtheflight.co.uk/
> >> This will generate a log file .chrom.log in your home dir. If not empty, attach
> >> it to your problem report.
> > This from the new user whose home directory is NFS mounted (The site crashed)
> > [tester at milos ~]$ CHROME_IPC_LOGGING=1 google-chrome --log-level=0 --enable-logging=stderr >& .chrom.log http://www.justtheflight.co.uk/
> > [tester at milos ~]$ cat .chrom.log
> > /usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
> > /usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
> > [22545:22562:145918300330:INFO:net/base/host_resolver_impl.cc(1083)] IPv6Probe forced AddressFamily setting to ADDRESS_FAMILY_IPV4
> > [22545:22545:145918310946:INFO:chrome/browser/extensions/extensions_service.cc(630)] Sending EXTENSION_LOADED
> > [22545:22545:145918332021:INFO:chrome/browser/sync/profile_sync_service.cc(97)] Detected official build, using official sync server.
> > [22545:22545:145918332059:INFO:chrome/browser/sync/profile_sync_service.cc(129)] Starting ProfileSyncService.
> > [22545:22545:145918332065:INFO:chrome/browser/sync/profile_sync_service.cc(198)] Using https://clients4.google.com/chrome-sync for sync server URL.
> > [22545:22545:145918332103:INFO:chrome/browser/sync/profile_sync_service.cc(357)] Clearing Sync DB.
> > [22545:22562:145918429713:INFO:net/proxy/proxy_service.cc(644)] Failed initial proxy configuration fetch.
> > [22545:22562:145919777048:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(208)] To buffer: http://www.justtheflight.co.uk/
> > [22545:22562:145919777591:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(140)] Finished buffering http://www.justtheflight.co.uk/
> > [22545:22545:145919817088:INFO:chrome/browser/history/history.cc(747)] History backend finished loading
> > [22545:22562:145920140936:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(178)] To buffer: http://www.justtheflight.co.uk/xmlfeeds/jtfairports.xml
> > [22545:22562:145920144427:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(140)] Finished buffering http://www.justtheflight.co.uk/xmlfeeds/jtfairports.xml
> > [22545:22556:145928316471:INFO:chrome/common/important_file_writer.cc(71)] successfully saved /home/tester/.config/google-chrome/Default/Preferences
> > [22545:22556:145930787476:INFO:chrome/common/important_file_writer.cc(71)] successfully saved /home/tester/.config/google-chrome/Local State
> > [22545:22556:145930794207:INFO:chrome/common/important_file_writer.cc(71)] successfully saved /home/tester/.config/google-chrome/Default/Preferences
> >
> >>
> >> You can run the browser without sandboxing (their idea about processes
> >> separation and security); but because of that do it only for testing, not to
> >> access important to you web sites:
> >> $ google-chrome --no-sandbox http://www.justtheflight.co.uk/
> >
> > [tester at milos ~]$ google-chrome --no-sandbox http://www.justtheflight.co.uk/
> > In this case the site did NOT crash
> >
> >> You may run the browser in debugging session with it as well:
> >> $ CHROME_IPC_LOGGING=1 google-chrome --no-sandbox --log-level=0
> >> --enable-logging=stderr >& .chrom.log http://www.justtheflight.co.uk/
> >
> > [tester at milos ~]$ CHROME_IPC_LOGGING=1 google-chrome --no-sandbox --log-level=0 --enable-logging=stderr >& .chrom.log http://www.justtheflight.co.uk/
> > [tester at milos ~]$ cat .chrom.log
> > /usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
> > /usr/bin/google-chrome: /lib64/libz.so.1: no version information available (required by /usr/bin/google-chrome)
> > /opt/google/chrome/chrome: /lib64/libz.so.1: no version information available (required by /opt/google/chrome/chrome)
> > /opt/google/chrome/chrome: /lib64/libz.so.1: no version information available (required by /opt/google/chrome/chrome)
> > [22719:22732:146271772673:INFO:net/base/host_resolver_impl.cc(1083)] IPv6Probe forced AddressFamily setting to ADDRESS_FAMILY_IPV4
> > [22719:22719:146271780682:INFO:chrome/browser/extensions/extensions_service.cc(630)] Sending EXTENSION_LOADED
> > [22719:22719:146271796677:INFO:chrome/browser/sync/profile_sync_service.cc(97)] Detected official build, using official sync server.
> > [22719:22719:146271796708:INFO:chrome/browser/sync/profile_sync_service.cc(129)] Starting ProfileSyncService.
> > [22719:22719:146271796714:INFO:chrome/browser/sync/profile_sync_service.cc(198)] Using https://clients4.google.com/chrome-sync for sync server URL.
> > [22719:22719:146271796757:INFO:chrome/browser/sync/profile_sync_service.cc(357)] Clearing Sync DB.
> > [22719:22732:146271889163:INFO:net/proxy/proxy_service.cc(644)] Failed initial proxy configuration fetch.
> > [22719:22732:146273237280:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(208)] To buffer: http://www.justtheflight.co.uk/
> > [22719:22732:146273237768:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(140)] Finished buffering http://www.justtheflight.co.uk/
> > [22749:22749:146273240536:INFO:chrome/renderer/user_script_slave.cc(283)] Injected 0 scripts and 0 css files into http://www.justtheflight.co.uk/
> > [22719:22719:146273267428:INFO:chrome/browser/history/history.cc(747)] History backend finished loading
> > [22719:22732:146273558643:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(178)] To buffer: http://www.justtheflight.co.uk/xmlfeeds/jtfairports.xml
> > [22719:22732:146273559448:INFO:chrome/browser/renderer_host/buffered_resource_handler.cc(140)] Finished buffering http://www.justtheflight.co.uk/xmlfeeds/jtfairports.xml
> > [22749:22749:146273560901:INFO:chrome/renderer/user_script_slave.cc(283)] Injected 0 scripts and 0 css files into http://www.justtheflight.co.uk/
> > [22749:22749:146273711200:INFO:chrome/renderer/user_script_slave.cc(283)] Injected 0 scripts and 0 css files into http://www.justtheflight.co.uk/
> > [22719:22726:146281786532:INFO:chrome/common/important_file_writer.cc(71)] successfully saved /home/tester/.config/google-chrome/Default/Preferences
> > [22749:22749:146284263918:INFO:chrome/renderer/render_view.cc(4901)] PLT: 1841ms http://www.justtheflight.co.uk/
> > [22719:22726:146284296387:INFO:chrome/common/important_file_writer.cc(71)] successfully saved /home/tester/.config/google-chrome/Local State
> > [22719:22726:146284301758:INFO:chrome/common/important_file_writer.cc(71)] successfully saved /home/tester/.config/google-chrome/Default/Preferences
> >
> >>
> >> File a problem report:
> >> http://code.google.com/p/chromium/issues/list
> >> New issue
> >>
> >> JB
> >
> > Do you think I have reached the stage when I should submit a bug report?
> >
> > Thanks again
> >
> > John
> >
> >
> >
> Can you put the chrome-sandbox into permissive mode and see what AVC's
> it generated.
>
> # semanage permissive -a chrome_sandbox_t
>
> Then run chrome
> > chrome
>
> # ausearch -m avc -ts recent
> # semanage permissive -d chrome_sandbox_t
> to pu chrome_sandbox back into enforcing mode.
I have interpreted chrome as google-chrome above
[root at milos ~]# semanage permissive -a chrome_sandbox_t
google-chrome no longer crashes
-------------------------
[root at milos ~]# ausearch -m avc -ts recent
<no matches>
-------------------------
[root at milos ~]# semanage permissive -d chrome_sandbox_t
google-chrome crashes again
####################################################################
I have also carried out the above literally
ie running chrome and NOT google-chrome - is that as intended?
It fails as follows
[root at milos ~]# semanage permissive -a chrome_sandbox_t
--------------------------------
ja at milos 5$ /opt/google/chrome/chrome
/opt/google/chrome/chrome: error while loading shared libraries: libnss3.so.1d: cannot open shared object file: No such file or directory
--------------------------------
ja at milos 6$ yum provides */libnss3.so.1d
...
No Matches found
--------------------------------
ja at milos 7$ yum provides */libnss3.so
Loaded plugins: presto, refresh-packagekit
nss-3.12.6-12.fc13.i686 : Network Security Services
Repo : local-f13-update
Matched from:
Filename : /usr/lib/libnss3.so
nss-3.12.6-12.fc13.x86_64 : Network Security Services
Repo : local-f13-update
Matched from:
Filename : /usr/lib64/libnss3.so
adobeair-2.0.3-13070.i386 : Adobe AIR
Repo : adobe-linux-i386
Matched from:
Filename : /opt/Adobe AIR/Versions/1.0/Resources/nss3/0d/libnss3.so
Filename : /opt/Adobe AIR/Versions/1.0/Resources/nss3/1d/libnss3.so
nss-3.12.6-4.fc13.x86_64 : Network Security Services
Repo : fedora
Matched from:
Filename : /usr/lib64/libnss3.so
nss-3.12.6-4.fc13.i686 : Network Security Services
Repo : fedora
Matched from:
Filename : /usr/lib/libnss3.so
nss-3.12.6-12.fc13.x86_64 : Network Security Services
Repo : installed
Matched from:
Filename : /usr/lib64/libnss3.so
---------------------------------
ja at milos 9$ rpm -qa|grep nss
nss-3.12.6-12.fc13.x86_64
openssh-5.4p1-3.fc13.x86_64
nss-softokn-3.12.6-3.fc13.x86_64
nss_db-2.2.3-0.3.pre1.fc13.x86_64
openssh-clients-5.4p1-3.fc13.x86_64
nss_ldap-264-10.fc13.x86_64
nss-sysinit-3.12.6-12.fc13.x86_64
openssh-server-5.4p1-3.fc13.x86_64
nss-util-3.12.6-1.fc13.x86_64
nss_compat_ossl-0.9.6-1.fc13.x86_64
kdnssd-avahi-devel-0.1.3-0.9.20080116svn.fc12.x86_64
nss-softokn-freebl-3.12.6-3.fc13.x86_64
openssl-devel-1.0.0a-1.fc13.x86_64
nss-tools-3.12.6-12.fc13.x86_64
openssh-askpass-5.4p1-3.fc13.x86_64
openssl-1.0.0a-1.fc13.x86_64
nss-softokn-freebl-3.12.6-3.fc13.i686
kdnssd-avahi-0.1.3-0.9.20080116svn.fc12.x86_64
---------------------------------
More information about the users
mailing list