SELinux 正在阻止 /opt/google/chrome/chrome-sandbox 对哪个文件进行写访问?

tag-icon tag-icon fedora chrome selinux
SELinux 正在阻止 /opt/google/chrome/chrome-sandbox 对哪个文件进行写访问?

自从升级到 Chrome 以来,我不断收到以下错误google-chrome-stable-42.0.2311.90-1.x86_64

SELinux 正在阻止 /opt/google/chrome/chrome-sandbox 对文件进行写访问。

我没有安装任何自定义插件或修改我的 Chrome 设置。谷歌上出现各种搜索错误报告被视为不是错误而被关闭,以及有关如何通过应用自定义策略绕过 SELinux 的说明。

SELinux 故障排除程序提出了以下建议:

SELinux is preventing /opt/google/chrome/chrome-sandbox from write access on the file .

*****  Plugin chrome (98.5 confidence) suggests   ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
Do
# setsebool -P unconfined_chrome_sandbox_transition 0

*****  Plugin catchall (2.46 confidence) suggests   **************************

If you believe that chrome-sandbox should be allowed write access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                 [ file ]
Source                        chrome-sandbox
Source Path                   /opt/google/chrome/chrome-sandbox
Port                          <Unknown>
Host                          fqdn
Source RPM Packages           google-chrome-stable-42.0.2311.90-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fqdn
Platform                      Linux fqdn 3.19.4-100.fc20.x86_64 #1 SMP
                              Mon Apr 13 21:46:59 UTC 2015 x86_64 x86_64
Alert Count                   68
First Seen                    2015-04-25 18:15:53
Last Seen                     2015-04-30 20:51:59
Local ID                      ab14f

Raw Audit Messages
type=AVC msg=audit(123.456:300): avc:  denied  { write } for  pid=3642 comm="chrome-sandbox" name="oom_adj" dev="proc" ino=52951 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=0


type=SYSCALL msg=audit(123.456:300): arch=x86_64 syscall=openat success=no exit=EACCES a0=3 a1=402138 a2=1 a3=0 items=0 ppid=3480 pid=3642 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=chrome-sandbox exe=/opt/google/chrome/chrome-sandbox subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome-sandbox,chrome_sandbox_t,unconfined_t,file,write

我不太同意关闭 Chrome 插件上的 SELinux 控制的建议。我也不知道文件的写访问权限.意味着什么。它是 chrome-sandbox 的当前文件夹吗?我尝试搜索 inode 52591,但找不到该文件。

谁能解释一下问题是什么以及如何解决这个问题?

答案1

这是 Chromium / Chrome 中的回归(之前已修复的错误再次出现)。谷歌开发人员似乎并不急于修复它,甚至承认这是他们的错误(叹气)。

当前错误 ID:https://code.google.com/p/chromium/issues/detail?id=477329

原来已关闭的错误:https://code.google.com/p/chromium/issues/detail?id=41853

答案2

$ grep chrome /var/log/audit/audit.log | audit2allow -M mypol
$ semodule -i mypol.pp

相关内容