[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: Diagnostic messages
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2014-10-28 12:01:41
Message-ID: 544F85A5.9080909 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Yes some how this got mislabeled.
On 10/27/2014 02:50 PM, Gian Luca Ortelli wrote:
> Yes, I ran the restorecon command as you described it ('restorecon -R
> -v ~/.pki') and things were fine again. So I guess my .pki settings
> were wrongly changed at some point in the past, right?
>
> I'll keep the setsebool method for the next time chrome breaks, I'm
> afraid in a few updates.
>
> Thanks,
> Gianluca Ortelli
>
> On Mon, Oct 27, 2014 at 4:39 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> Did you run the restorecon command?
>
> It looks like chrome is allowed to read files labeled home_cert_t
> but might be blocked form other types.
>
> You could also turn off the chrome security using a boolean
>
> setsebool -P unconfined_chrome_sandbox_transition 1
>
> Which would do the equivalent of what you did in relabelling the
> executable to bin_t.
>
>
> On 10/27/2014 04:07 AM, Gian Luca Ortelli wrote:
> > Hi,
> >
> > my original fix was more coarse grained than this: I set the type
> > of the chrome-sandbox to the generic SELinux executable (was it
> > bin_t?).
> >
> > Anyway, I tried your suggestion (a chrome update broke my fix
> > several days ago, and I was back to 'setenforce 0' mode) and it
> > also solves the problem.
> >
> > Any ideas on why I don't get an explicit error message? Something
> > like 'selinux is preventing chrome-sandbox from accessing .pki'?
> > Or is the problem too indirect for selinux to figure out what's
> > going wrong exactly?
> >
> > Kind regards,
> > Gianluca Ortelli
> >
> > On Fri, Oct 24, 2014 at 7:22 PM, Daniel J Walsh
> > <dwalsh@redhat.com <mailto:dwalsh@redhat.com>> wrote:
> >
> >
> > On 10/23/2014 02:28 AM, Gian Luca Ortelli wrote:
> > > Hi,
> > >
> > > I recently had to do some selinux tuning to have chrome
> > > correctly start on my fedora 20 box. I googled around and
> > > eventually found the correct type to apply to the chrome
> > > executable in order to make it work.
> > >
> > > So the problem is solved, but the error messages that I got
> > > were much less informative than I expected. After
> > > watching https://www.youtube.com/watch?v=MxjenQ31b70 on
> > > selinux configuration, I was expecting messages in a format
> > > like "selinux is preventing X from access on directoy Y",
> > > but instead...
> > >
> > > 'journal -f' provided nothing useful; 'tail -f
> > > /var/log/audit/audit.log' showed a couple of log lines which
> > > actually mentioned chrome, but in too generic a manner (see
> > > below):
> > >
> > > --------------------------------------
> > > type=SYSCALL msg=audit(1413532031.170:387): arch=c000003e
> > > syscall=56 success=yes exit=2394 a0=60000011 a1=0 a2=0 a3=0
> > > items=0 ppid=2382 pid=2393 auid=1000 uid=1000 gid=1000
> > > euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000
> > > tty=(none) ses=1 comm="chrome-sandbox"
> > > exe="/opt/google/chrome/chrome-sandbox"
> > > subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
> > > key=(null)
> > > type=PROCTITLE msg=audit(1413532031.170:387):
> > > proctitle=2F6F70742F676F6F676C652F6368726F6D652F6368726F6D652D73616E64626F78002F6F70742F676F6F676C652F6368726F6D652F6368726F6D65002D2D747970653D7A79676F7465
> > > type=ANOM_ABEND msg=audit(1413532031.195:388): auid=1000
> > > uid=1000 gid=1000 ses=1
> > > subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
> > > pid=2394 comm="chrome" exe="/opt/google/chrome/chrome" sig=11
> > > --------------------------------------
> > >
> > > Before I fixed the problem, launching google-chrome from
> > > command line resulted in an error message about the
> > > impossibility of creating directory .pki/nssdb in my home.
> > > No mention of this directory name in the audit.
> > >
> > > And to finish, the SELinux troubleshooting tool didn't show
> > > anything at all.
> > >
> > > Why don't I see a richer diagnostics? Am I missing some
> > > configuration?
> > >
> > >
> > > Kind regards,
> > > Gianluca Ortelli
> > >
> > >
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > What exactly did you do to fix the problem? Did you have to
> > fix the labels on .pki? restorecon -R -v ~/.pki
> >
> >
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes some how this got mislabeled.<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/27/2014 02:50 PM, Gian Luca
Ortelli wrote:<br>
</div>
<blockquote
cite="mid:CA+HEA+ra55wpmoF3RQ-gN6GxCDX5Ad2s-0G1CJ0HtdjwFkwWTg@mail.gmail.com"
type="cite">
<div dir="ltr">Yes, I ran the restorecon command as you described
it ('<span style="font-family:arial,sans-serif;font-size:13px">restorecon
-R -v ~/.pki</span>') and things were fine again. So I guess
my .pki settings were wrongly changed at some point in the past,
right?
<div><br>
</div>
<div>I'll keep the setsebool method for the next time chrome
breaks, I'm afraid in a few updates.</div>
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr">Thanks,<br>
<div> Gianluca Ortelli</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Oct 27, 2014 at 4:39 PM,
Daniel J Walsh <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:dwalsh@redhat.com"
target="_blank">dwalsh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Did you run the
restorecon command?<br>
<br>
It looks like chrome is allowed to read files labeled
home_cert_t but might be blocked form other types.<br>
<br>
You could also turn off the chrome security using a
boolean<br>
<br>
setsebool -P unconfined_chrome_sandbox_transition 1<br>
<br>
Which would do the equivalent of what you did in
relabelling the executable to bin_t.
<div>
<div class="h5"><br>
<br>
<div>On 10/27/2014 04:07 AM, Gian Luca Ortelli
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>my original fix was more coarse grained
than this: I set the type of the
chrome-sandbox to the generic SELinux
executable (was it bin_t?).</div>
<div><br>
</div>
<div>Anyway, I tried your suggestion (a chrome
update broke my fix several days ago, and I
was back to 'setenforce 0' mode) and it also
solves the problem.</div>
<div><br>
</div>
<div>Any ideas on why I don't get an explicit
error message? Something like 'selinux is
preventing chrome-sandbox from accessing
.pki'? Or is the problem too indirect for
selinux to figure out what's going wrong
exactly?</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr">Kind regards,
<div> Gianluca Ortelli</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Oct 24, 2014 at
7:22 PM, Daniel J Walsh <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com"
target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> <br>
<div>On 10/23/2014 02:28 AM, Gian Luca
Ortelli wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div
\
style="font-family:arial,sans-serif;font-size:13px">Hi,</div> <div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">I recently had to do some \
selinux tuning to have chrome correctly
start on my fedora 20 box. I
googled around and eventually
found the correct type to apply
to the chrome executable in
order to make it work.</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">So
the problem is solved, but the
error messages that I got were
much less informative than I
expected. After watching <a
moz-do-not-send="true"
\
href="https://www.youtube.com/watch?v=MxjenQ31b70"
\
target="_blank">https://www.youtube.com/watch?v=MxjenQ31b70</a> on
selinux configuration, I was
expecting messages in a format
like "selinux is preventing X
from access on directoy Y", but
instead...</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">'journal
-f' provided nothing useful;
'tail -f
/var/log/audit/audit.log' showed
a couple of log lines which
actually mentioned chrome, but
in too generic a manner (see
below):</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">--------------------------------------</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"> <div>type=SYSCALL
msg=audit(1413532031.170:387):
arch=c000003e syscall=56
success=yes exit=2394
a0=60000011 a1=0 a2=0 a3=0
items=0 ppid=2382 pid=2393
auid=1000 uid=1000 gid=1000
euid=0 suid=0 fsuid=0
egid=1000 sgid=1000 fsgid=1000
tty=(none) ses=1
comm="chrome-sandbox"
exe="/opt/google/chrome/chrome-sandbox"
\
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
key=(null)</div>
<div>type=PROCTITLE
msg=audit(1413532031.170:387):
proctitle=2F6F70742F676F6F676C652F6368726F6D652F6368726F6D652D73616E64626F78002F6F70742F676F6F676C652F6368726F6D652F6368726F6D65002D2D747970653D7A79676F7465</div>
<div>type=ANOM_ABEND
msg=audit(1413532031.195:388):
auid=1000 uid=1000 gid=1000
ses=1
\
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 pid=2394 \
comm="chrome" exe="/opt/google/chrome/chrome"
sig=11</div>
</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">--------------------------------------<br>
</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">Before
I fixed the problem, launching
google-chrome from command line
resulted in an error message
about the impossibility of
creating directory .pki/nssdb in
my home. No mention of this
directory name in the audit.</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">And
to finish, the SELinux
troubleshooting tool didn't show
anything at all.</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<div
\
style="font-family:arial,sans-serif;font-size:13px">Why
don't I see a richer
diagnostics? Am I missing some
configuration?</div>
<div
\
style="font-family:arial,sans-serif;font-size:13px"><br> </div>
<br
\
style="font-family:arial,sans-serif;font-size:13px" clear="all">
<div
\
style="font-family:arial,sans-serif;font-size:13px"> <div dir="ltr">Kind regards,
<div> Gianluca Ortelli</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" \
target="_blank">selinux@lists.fedoraproject.org</a> <a moz-do-not-send="true" \
href="https://admin.fedoraproject.org/mailman/listinfo/selinux" \
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre> \
</blockquote> What exactly did you do to fix the
problem? Did you have to fix the labels
on .pki? restorecon -R -v ~/.pki<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" \
target="_blank">selinux@lists.fedoraproject.org</a> <a moz-do-not-send="true" \
href="https://admin.fedoraproject.org/mailman/listinfo/selinux" \
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre> \
</blockquote> <br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a> <a \
class="moz-txt-link-freetext" \
href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>
[Attachment #6 (text/plain)]
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic