February 14th, 2011

Strange SELinux AVC's

A bug was just closed where the google chrome plugin sandbox was trying to read a link file within the homedir.

SELinux is preventing /opt/google/chrome/chrome from read access on the lnk_file /home/physics-tools/clhep/clhep

Here is the AVC.

type=AVC msg=audit(1297435306.238:20321): avc:  denied  { read } for  pid=22631 comm="chrome" name="clhep" dev=sda5 ino=8195388 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file

type=SYSCALL msg=audit(1297435306.238:20321): arch=c000003e syscall=2 success=no exit=-2 a0=7fffb3534570 a1=0 a2=0 a3=2f7065686c632f70 items=0 ppid=0
pid=22631 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="chrome"
exe="/opt/google/chrome/chrome" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

clhep is included in a high energy physics library

On the surface this makes no sense at all.  You would figure there is not way the chrome sandbox would be reading this random link in the users home directory to the high energy physics library.

But digging further we found that the .bashrc was executing /home/physics-tools/env/clhep_scr.  This script was modifying the LD_LIBRARY_PATH to include many new paths including /home/physics-tools/clhep/clhep.

When you start any application including chome, all paths within the LD_LIBRARY_PATH will be searched.

This explains why the AVC was generated.