SELinux가 /opt/google/chrome/nacl_helper에 의해 /etc/passwd 파일에 대한 getattr 액세스를 차단하고 있습니다.

SELinux가 /opt/google/chrome/nacl_helper에 의해 /etc/passwd 파일에 대한 getattr 액세스를 차단하고 있습니다.

이것은 버그입니까 아니면 실제 보안 문제입니까? 논의된 것 같지만 왜 이런 일이 발생하는지, 근본 원인을 해결하기 위해 수행 중인 작업을 여전히 이해하지 못합니다(SELinux를 비활성화하지 않으므로 이 오류를 볼 필요가 없습니다).

SELinux is preventing /opt/google/chrome/nacl_helper from getattr access on the file /etc/passwd.

***** Plugin chrome (98.5 confidence) suggests ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
Do
# setsebool -P unconfined_chrome_sandbox_transition 0

***** Plugin catchall (2.46 confidence) suggests **************************

If you believe that nacl_helper should be allowed getattr access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nacl_helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
0.c1023
Target Context system_u:object_r:passwd_file_t:s0
Target Objects /etc/passwd [ file ]
Source nacl_helper
Source Path /opt/google/chrome/nacl_helper
Port <Unknown>
Host z1223lc7
Source RPM Packages google-chrome-stable-43.0.2357.81-1.x86_64
Target RPM Packages setup-2.8.71-5.el7.noarch
Policy RPM selinux-policy-3.13.1-23.el7_1.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name z1223lc7
Platform Linux z1223lc7 3.10.0-229.4.2.el7.x86_64 #1 SMP
Wed May 13 10:06:09 UTC 2015 x86_64 x86_64
Alert Count 140
First Seen 2015-04-01 18:23:37 MDT
Last Seen 2015-06-06 13:25:49 MDT
Local ID b0bd92cc-2a6f-43db-8faa-96e434e9317e

Raw Audit Messages
type=AVC msg=audit(1433618749.991:423): avc: denied { getattr } for pid=5863 comm="chrome" path="/etc/passwd" dev="sdb3" ino=136280194 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1433618749.991:423): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f0a9f79a9f8 a1=7fffb5a5eb50 a2=7fffb5a5eb50 a3=fffffffffffffa09 items=0 ppid=5862 pid=5863 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=1 comm=chrome exe=/opt/google/chrome/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: nacl_helper,chrome_sandbox_t,passwd_file_t,file,getattr

답변1

아래와 같이 알려진 버그인 것 같습니다. https://bugzilla.redhat.com/show_bug.cgi?id=1204307

관련 정보