Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 598796 - SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "net_raw" access .
Summary: SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "net_raw" acce...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:5a5474236d4...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-02 03:54 UTC by Rob Wills
Modified: 2011-11-23 16:21 UTC (History)
95 users (show)

Fixed In Version: kernel-2.6.32.21-168.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-13 20:12:36 UTC


Attachments (Terms of Use)

Description Rob Wills 2010-06-02 03:54:04 UTC
Summary:

SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "net_raw" access
.

Detailed Description:

[chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not
denied.]

SELinux denied access requested by chrome-sandbox. It is not expected that this
access is required by chrome-sandbox and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                None [ capability ]
Source                        chrome-sandbox
Source Path                   /usr/lib/chromium-browser/chrome-sandbox
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           chromium-6.0.417.0-1.20100526svn48276.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-114.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.12-115.fc12.i686.PAE #1
                              SMP Fri Apr 30 20:14:08 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 01 Jun 2010 08:53:25 PM CDT
Last Seen                     Tue 01 Jun 2010 08:53:25 PM CDT
Local ID                      c502f838-cb1f-428c-831d-c810a35724a5
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1275443605.690:53): avc:  denied  { net_raw } for  pid=26162 comm="chrome-sandbox" capability=13  scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capability

node=(removed) type=SYSCALL msg=audit(1275443605.690:53): arch=40000003 syscall=120 success=yes exit=26163 a0=60020011 a1=0 a2=0 a3=0 items=0 ppid=26158 pid=26162 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,chrome-sandbox,chrome_sandbox_t,chrome_sandbox_t,capability,net_raw
audit2allow suggests:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability net_raw;

Comment 1 Daniel Walsh 2010-06-02 19:14:54 UTC
Adam, this looks wrong?

Comment 2 Adam Langley 2010-06-02 19:36:16 UTC
net_raw, as in raw sockets? Yes, that's very wrong. I imagine that not being root will prevent this anyway, but I'd be very interested in how this was triggered.

Comment 3 Carl G. 2010-06-03 03:54:44 UTC
(In reply to comment #2)
> net_raw, as in raw sockets? Yes, that's very wrong. I imagine that not being
> root will prevent this anyway, but I'd be very interested in how this was
> triggered.    

.

Comment 4 Rob Wills 2010-06-03 14:34:20 UTC
Honestly, I'm not sure what exactly happened for SELinux to jump on this. I got the SEL warning immediately after launching Chromium.

Comment 5 Adam Langley 2010-06-03 14:40:38 UTC
@Rob Wills: can you point me at the packages that you installed so that I can try to replicate?

Comment 6 Rob Wills 2010-06-03 14:45:51 UTC
Sure, they're the packages provided by Tom Callaway. The packages are located at http://spot.fedorapeople.org/chromium/. Or, the yum repo information:

[chromium]
name=Chromium Test Packages
baseurl=http://spot.fedorapeople.org/chromium/F$releasever/
enabled=1
gpgcheck=0

Comment 7 Adam Langley 2010-06-03 21:18:26 UTC
I tried installing the packages from that URL (6.0.417.0-1.20100526svn48276) and cannot reproduce the issue (FC12).

The only use of SOCK_RAW in the Chromium tree is:
  socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);

Which is used to detect network changes. However, that code runs in the browser process, not in the sandbox.

Frankly, I'm at a loss I'm afraid. You can't strace through the sandbox because it's a SUID binary. You could try adding --renderer-cmd-prefix="strace -f -o /tmp/trace" to the command line. That will run without the sandbox, but the strace might show where the syscall is coming from.

Comment 8 Daniel Walsh 2010-06-03 21:23:53 UTC
Could you make sure that socket is closed on exec.  Eric could this be a leaked file descriptor?

Comment 9 Rob Wills 2010-06-14 00:58:32 UTC
For what its worth, I set up a new laptop with a fresh install of F13 x86_64 with the chromium package repo that this bug report was initiated against and SELinux hasn't given me any problems with the net_raw access. I'm not sure if the issue was resolved with a newer package version of chromium, the SEL policy, or if this is a bug related to F12 specifically.

Comment 10 Daniel Walsh 2010-06-14 22:45:29 UTC
Ok, we can just act like it did not happen.  :^)  Reopen if it happens again.

Comment 11 Juan J. Martínez 2010-06-14 22:54:43 UTC
It's happening constantly here, with Fedora 12.

For example:

type=AVC msg=audit(1276555384.035:68): avc:  denied  { net_raw } for  pid=7335 comm="chrome-sandbox" capability=13  scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capability

type=SYSCALL msg=audit(1276555384.035:68): arch=40000003 syscall=120 success=yes exit=7336 a0=60020011 a1=0 a2=0 a3=0 items=0 ppid=7333 pid=7335 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

It happens when a new web it's open using xdg-open (for example, clicking in a link in Evolution):

Raw Audit Messages 

node=(removed) type=AVC msg=audit(1276555742.501:85): avc:  denied  { net_raw } for  pid=7592 comm="chrome-sandbox" capability=13  scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capability

node=(removed) type=SYSCALL msg=audit(1276555742.501:85): arch=40000003 syscall=120 success=yes exit=7593 a0=60020011 a1=0 a2=0 a3=0 items=0 ppid=7590 pid=7592 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

The problem started with Chromium 6.0.x I guess.

Comment 12 Daniel Walsh 2010-06-14 23:15:44 UTC
Eric what was the cause of the strange net_raw call in ftp?

Comment 13 jwieland 2010-06-28 23:28:06 UTC
I can confirm that this is happening on Fedora12.  I updated Chromium from 

chromium-libs-6.0.399.0-1.fc12.x86_64
chromium-6.0.399.0-1.fc12.x86_64

to 

chromium-libs-6.0.425.0-1.20100603svn48849.fc12.x86_64
chromium-6.0.425.0-1.20100603svn48849.fc12.x86_64

i used the yum repo:
[chromium]
name=Chromium Test Packages
baseurl=http://spot.fedorapeople.org/chromium/F$releasever/
enabled=1
gpgcheck=0 

Immediately when I launched chromium I receved the 'SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "net_raw" access'.  

However the browser is working just fine for me.  

Full Copy of error:
=======


Summary:

SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "net_raw"
access .

Detailed Description:

[chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not
denied.]

SELinux denied access requested by chrome-sandbox. It is not expected that this
access is required by chrome-sandbox and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                None [ capability ]
Source                        chrome-sandbox
Source Path                   /usr/lib64/chromium-browser/chrome-sandbox
Port                          <Unknown>
Host                          ws-jwieland-lin2
Source RPM Packages           chromium-6.0.425.0-1.20100603svn48849.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     ws-jwieland-lin2
Platform                      Linux ws-jwieland-lin2 2.6.32.11-99.fc12.x86_64 #1
                              SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 28 Jun 2010 04:22:58 PM PDT
Last Seen                     Mon 28 Jun 2010 04:22:58 PM PDT
Local ID                      3ffb48c9-581e-4f13-a8a9-12ae3166b946
Line Numbers                  

Raw Audit Messages            

node=ws-jwieland-lin2 type=AVC msg=audit(1277767378.925:39740): avc:  denied  { net_raw } for  pid=27276 comm="chrome-sandbox" capability=13  scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capability

node=ws-jwieland-lin2 type=SYSCALL msg=audit(1277767378.925:39740): arch=c000003e syscall=56 success=yes exit=27277 a0=60020011 a1=0 a2=0 a3=0 items=0 ppid=27274 pid=27276 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1574 comm="chrome-sandbox" exe="/usr/lib64/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Comment 14 Daniel Walsh 2010-06-29 15:43:25 UTC
I don't think this has been reported against F13.  So it might be a kernel issue.

Comment 15 Michael Monreal 2010-06-29 16:35:10 UTC
Negative, I am seeing the same on Fedora 13

Comment 16 Eric Paris 2010-06-29 19:14:44 UTC
This was fixed upstream by commits:

c84b3268da3b85c9d8a9e504e1001a14ed829e94
3f378b684453f2a028eda463ce383370545d9cc9

Which were introduced in 2.6.33.  Since F13 is using 2.6.33 kernels it explains why this is not happening there.  If you are seeing it on F13 update your kernel.  If you are seeing this on F12 update to F13 *smile*

No, really, does this cause serious issue?  I assume that chrome will just try again without the cloned network namespace, but that may not be true.  We could probably backport this to 2.6.32 if it is causing large problems, or just wait for f12 to move to a .33 kernel...

Comment 17 Adam Langley 2010-06-29 19:23:56 UTC
I guess from Eric Paris's post that this is a kernel bug. I'm not clear how the kernel bug manifests but Chrome will back off if it cannot fork with the requested flags:

(sandbox/linux/suid/sandbox.c)

  // These are the sets of flags which we'll try, in order.
  const int kCloneExtraFlags[] = {
    CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWNS,
    CLONE_NEWPID | CLONE_NEWNET,
    CLONE_NEWPID,
  };

However, the back off will only be triggered if clone returned EINVAL.

Comment 18 Eric Rannaud 2010-06-29 19:25:41 UTC
google-chrome works just fine on F12, after the alert.

To avoid getting the alert, users can tick the "ignore this alert" box in the selinux applet.

Comment 19 Eric Paris 2010-06-29 20:20:18 UTC
Adam, I wouldn't be surprised if it returned EPERM instead of EINVAL.  But it sounds like people are working ok, just have to ignore the message for a while and suffer the loss of CLONE_NEWNET (and CLONE_NEWNS it seems).

(The kernel bug was that creating a new network namespace created a raw socket from one part of the kernel to another part of the kernel.  SELinux was checking if the application had permissions to create raw sockets.  It did not, thus it rejected the kernel to kernel internal socket and caused problems.  The fix was to differentiate sockets created by the kernel for the kernel and those created by the userspace app, and to apply different security checks for each)

In any case, it's fixed in new kernels.

Comment 20 Eric Paris 2010-07-13 20:12:36 UTC
I'm going to close this bug as 'upstream'

If there are real problems on F12 (after you ignore the denial) please feel free to reopen.

Comment 21 Kyle McMartin 2010-09-06 19:00:20 UTC
I've done a scratch-build with the two fixes Eric identified to see if I can quiet this denial down... Please let me know if
http://koji.fedoraproject.org/koji/taskinfo?taskID=2449710
resolves it, since there seem to be a lot of people still hitting it judging by the growing CC list.

Comment 22 Fedora Update System 2010-09-16 10:00:22 UTC
kernel-2.6.32.21-168.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/kernel-2.6.32.21-168.fc12

Comment 23 Fedora Update System 2010-09-21 01:37:49 UTC
kernel-2.6.32.21-168.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.