Sage Notebook, Chrome Browser, & SELinux Alert

73 views
Skip to first unread message

rickhg12hs

unread,
Jul 29, 2013, 11:11:48 PM7/29/13
to sage-s...@googlegroups.com
Sage 5.10 Notebook, Fedora 17 with SELinux set to Enforcing.

    SELinux is preventing /opt/google/chrome/chrome from 'write' accesses on the directory /home/MyHomeDir/.sage.

Is this expected?  Should I allow write access by creating a local exception for SELinux?

Jason Grout

unread,
Jul 30, 2013, 12:03:29 AM7/30/13
to sage-s...@googlegroups.com
I can't imagine why Chrome needs access to ~/.sage.

Jason



Dima Pasechnik

unread,
Jul 30, 2013, 4:15:54 AM7/30/13
to sage-s...@googlegroups.com
downloading NSA software? ;-)

>
> Jason
>
>
>

Volker Braun

unread,
Jul 30, 2013, 10:22:16 AM7/30/13
to sage-s...@googlegroups.com
Works on Fedora 19, maybe you can post a part of your log? Steps to reproduce?

rickhg12hs

unread,
Jul 30, 2013, 10:35:08 AM7/30/13
to sage-s...@googlegroups.com
Which log do you mean?

Steps to reproduce:
$ ./sage -notebook

An SELinux alert every time.  Sage notebook still works fine though.

Volker Braun

unread,
Jul 30, 2013, 11:21:13 AM7/30/13
to sage-s...@googlegroups.com
post the actual log message

rickhg12hs

unread,
Jul 30, 2013, 1:21:51 PM7/30/13
to sage-s...@googlegroups.com
Here is the SELinux Alert "Details":

["Details"  Start]
SELinux is preventing /opt/google/chrome/chrome from write access on the directory /home/rick/.sage.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chrome should be allowed write access on the .sage directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/rick/.sage [ dir ]
Source                        chrome
Source Path                   /opt/google/chrome/chrome
Port                          <Unknown>
Host                          steelers.net
Source RPM Packages           google-chrome-stable-28.0.1500.71-209842.i386
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-170.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     steelers.net
Platform                      Linux steelers.net 3.9.10-100.fc17.i686.PAE #1 SMP
                              Sun Jul 14 01:34:14 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-07-30 13:17:57 EDT
Last Seen                     2013-07-30 13:17:57 EDT
Local ID                      d984be81-6864-452c-974b-4cecba51149b

Raw Audit Messages
type=AVC msg=audit(1375204677.41:5388): avc:  denied  { write } for  pid=12239 comm="chrome" name=".sage" dev="dm-2" ino=3802163 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1375204677.41:5388): arch=i386 syscall=open success=no exit=EACCES a0=b7eb6a5c a1=8441 a2=1b6 a3=b7edeb00 items=0 ppid=0 pid=12239 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 ses=694 tty=pts1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,user_home_t,dir,write

audit2allow

#============= chrome_sandbox_t ==============
#!!!! The source type 'chrome_sandbox_t' can write to a 'dir' of the following types:
# home_cert_t, user_home_dir_t, cgroup_t, tmpfs_t, tmp_t, user_fonts_cache_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmp_t

allow chrome_sandbox_t user_home_t:dir write;

audit2allow -R

#============= chrome_sandbox_t ==============
#!!!! The source type 'chrome_sandbox_t' can write to a 'dir' of the following types:
# home_cert_t, user_home_dir_t, cgroup_t, tmpfs_t, tmp_t, user_fonts_cache_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmp_t

allow chrome_sandbox_t user_home_t:dir write;
["Details"  End]

Volker Braun

unread,
Jul 30, 2013, 6:50:44 PM7/30/13
to sage-s...@googlegroups.com
I found the same in my logs from a while ago, but I can't reproduce it with chrome 29.0.1547.32 beta which I'm currently running.


type=AVC msg=audit(1372031280.104:2067): avc:  denied  { write } for  pid=24299 comm="chrome" name=".sage
" dev="sda4" ino=322022 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=uncon

Dima Pasechnik

unread,
Aug 1, 2013, 4:22:16 PM8/1/13
to sage-s...@googlegroups.com
On 2013-07-30, Jason Grout <jason...@creativetrax.com> wrote:
isn't it where the Sage notebook files are kept?

Dima
>
> Jason
>
>
>

Jason Grout

unread,
Aug 1, 2013, 4:49:24 PM8/1/13
to sage-s...@googlegroups.com
Yes, but the browser shouldn't be changing those. All changes should be
shuttled through the backend webserver.

Jason


Reply all
Reply to author
Forward
0 new messages