SELinux 正在阻止 /opt/google/chrome/nacl_helper 对文件 /etc/passwd 进行 getattr 访问

SELinux 正在阻止 /opt/google/chrome/nacl_helper 对文件 /etc/passwd 进行 getattr 访问

这是一个错误还是真正的安全问题?它似乎已经被讨论过,但我仍然不明白为什么会发生这种情况以及正在采取什么措施来解决根本原因(我不会禁用 SELinux,这样我就不必看到这个错误)

SELinux is preventing /opt/google/chrome/nacl_helper from getattr access on the file /etc/passwd.

***** Plugin chrome (98.5 confidence) suggests ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
Do
# setsebool -P unconfined_chrome_sandbox_transition 0

***** Plugin catchall (2.46 confidence) suggests **************************

If you believe that nacl_helper should be allowed getattr access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nacl_helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context system_u:object_r:passwd_file_t:s0
Target Objects /etc/passwd [ file ]
Source nacl_helper
Source Path /opt/google/chrome/nacl_helper
Port <Unknown>
Host z1223lc7
Source RPM Packages google-chrome-stable-43.0.2357.81-1.x86_64
Target RPM Packages setup-2.8.71-5.el7.noarch
Policy RPM selinux-policy-3.13.1-23.el7_1.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name z1223lc7
Platform Linux z1223lc7 3.10.0-229.4.2.el7.x86_64 #1 SMP
Wed May 13 10:06:09 UTC 2015 x86_64 x86_64
Alert Count 140
First Seen 2015-04-01 18:23:37 MDT
Last Seen 2015-06-06 13:25:49 MDT
Local ID b0bd92cc-2a6f-43db-8faa-96e434e9317e

Raw Audit Messages
type=AVC msg=audit(1433618749.991:423): avc: denied { getattr } for pid=5863 comm="chrome" path="/etc/passwd" dev="sdb3" ino=136280194 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1433618749.991:423): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f0a9f79a9f8 a1=7fffb5a5eb50 a2=7fffb5a5eb50 a3=fffffffffffffa09 items=0 ppid=5862 pid=5863 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: nacl_helper,chrome_sandbox_t,passwd_file_t,file,getattr

答案1

似乎这是一个已知的错误,如下所示: https://bugzilla.redhat.com/show_bug.cgi?id=1204307

相关内容