Chromium and SELinuxrsyslog-mysql on CentOS 5.3 does not have permission to access the mysql.sockReasons to...
What is the difference between throw e and throw new Exception(e)?
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
Wrap all numerics in JSON with quotes
How to speed up a process
What are all the squawk codes?
chrony vs. systemd-timesyncd – What are the differences and use cases as NTP clients?
Non-Italian European mafias in USA?
Where is this triangular-shaped space station from?
Six real numbers so that product of any five is the sixth one
Reason why dimensional travelling would be restricted
Are small insurances worth it
What does 'acting greedily' mean?
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
Did Amazon pay $0 in taxes last year?
Easy code troubleshooting in wordpress
How would we write a misogynistic character without offending people?
Is there any relevance to Thor getting his hair cut other than comedic value?
Replacement ford fiesta radiator has extra hose
What does 'open position for bachelor project' actually mean?
Why is working on the same position for more than 15 years not a red flag?
I can't die. Who am I?
What do the pedals on grand pianos do?
What is a term for a function that when called repeatedly, has the same effect as calling once?
Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?
Chromium and SELinux
rsyslog-mysql on CentOS 5.3 does not have permission to access the mysql.sockReasons to disable / enable SELinuxSlackware and SELinuxredhat Apache fast-cgi selinux permissionsselinux permissive and type targetedUnable to start the Phusion Passenger - Cannot change the directory - Operation not permitted (errno=1)SELinux permissions for LogRotate and ApacheAllowing httpd to run a bash script in /usr/bin/SELinux policy/rule causing Apache to serve assets from absolute path instead of document rootWordpress overloads LEMP
0
I need to run Chromium via Puppeteer in the browser but I am getting a few SElinux alerts. If I create an audit2allow module for the alerts, the alerts disappear but Chromium still does not run. As soon as I set SElinux back to permissive mode Chromium runs again.
I'm not sure what to do here. How can I fix the errors below so I can use SElinux in enforcing mode?
I can also get Chromium working if I set httpd to permissive while SElinux is still in enforcing mode with semanage permissive -a httpd_t, but I'm guessing the is a big security issue?
All the SElinux alerts are in the /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome directory so I guess I need to give these directory/files a particular label but which one?
OS: CentOS 7.6
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 7
First Seen 2019-03-02 16:33:12 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID ff2cf4a9-6788-4027-8986-fc1db4f026b3
Raw Audit Messages
type=AVC msg=audit(1551618018.451:581328): avc: denied { sys_admin } for pid=15865 comm="chrome" capability=21 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.451:581328): arch=x86_64 syscall=open success=yes exit=ECONNREFUSED a0=559709404bb0 a1=1 a2=20 a3=7ffe9f76fba0 items=0 ppid=15863 pid=15865 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_admin
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_ptrace capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 195b1636-4c46-47b9-92d2-19323a2e05a8
Raw Audit Messages
type=AVC msg=audit(1551618018.527:581330): avc: denied { sys_ptrace } for pid=15863 comm="chrome" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.527:581330): arch=x86_64 syscall=read success=yes exit=364 a0=70 a1=35eabe34f000 a2=10000 a3=22 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_ptrace
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from create access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed create access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 9e4b0c7f-78a5-4585-be26-db09f9309f6f
Raw Audit Messages
type=AVC msg=audit(1551618018.602:581331): avc: denied { create } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.602:581331): arch=x86_64 syscall=socket success=yes exit=151 a0=10 a1=80803 a2=f a3=35eabe431060 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,create
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from setopt access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed setopt access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 59f8fbbf-0ce1-4dd3-94ff-8fd5eb13696f
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581332): avc: denied { setopt } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581332): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=97 a1=1 a2=1a a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,setopt
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from bind access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed bind access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID b50937b0-a30a-4724-8c8d-d50077ae5e1a
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581333): avc: denied { bind } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581333): arch=x86_64 syscall=bind success=yes exit=0 a0=97 a1=35eabe384a10 a2=c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,bind
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from getattr access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed getattr access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 889a731e-830f-4ae8-8a66-bfdb0532629e
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581334): avc: denied { getattr } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581334): arch=x86_64 syscall=getsockname success=yes exit=0 a0=97 a1=7fe1ed085490 a2=7fe1ed08548c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,getattr
linux centos security selinux chrome
asked 15 mins ago
turrican_34turrican_34
62
add a comment |
0
I need to run Chromium via Puppeteer in the browser but I am getting a few SElinux alerts. If I create an audit2allow module for the alerts, the alerts disappear but Chromium still does not run. As soon as I set SElinux back to permissive mode Chromium runs again.
I'm not sure what to do here. How can I fix the errors below so I can use SElinux in enforcing mode?
I can also get Chromium working if I set httpd to permissive while SElinux is still in enforcing mode with semanage permissive -a httpd_t, but I'm guessing the is a big security issue?
All the SElinux alerts are in the /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome directory so I guess I need to give these directory/files a particular label but which one?
OS: CentOS 7.6
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 7
First Seen 2019-03-02 16:33:12 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID ff2cf4a9-6788-4027-8986-fc1db4f026b3
Raw Audit Messages
type=AVC msg=audit(1551618018.451:581328): avc: denied { sys_admin } for pid=15865 comm="chrome" capability=21 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.451:581328): arch=x86_64 syscall=open success=yes exit=ECONNREFUSED a0=559709404bb0 a1=1 a2=20 a3=7ffe9f76fba0 items=0 ppid=15863 pid=15865 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_admin
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_ptrace capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 195b1636-4c46-47b9-92d2-19323a2e05a8
Raw Audit Messages
type=AVC msg=audit(1551618018.527:581330): avc: denied { sys_ptrace } for pid=15863 comm="chrome" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.527:581330): arch=x86_64 syscall=read success=yes exit=364 a0=70 a1=35eabe34f000 a2=10000 a3=22 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_ptrace
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from create access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed create access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 9e4b0c7f-78a5-4585-be26-db09f9309f6f
Raw Audit Messages
type=AVC msg=audit(1551618018.602:581331): avc: denied { create } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.602:581331): arch=x86_64 syscall=socket success=yes exit=151 a0=10 a1=80803 a2=f a3=35eabe431060 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,create
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from setopt access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed setopt access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 59f8fbbf-0ce1-4dd3-94ff-8fd5eb13696f
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581332): avc: denied { setopt } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581332): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=97 a1=1 a2=1a a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,setopt
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from bind access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed bind access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID b50937b0-a30a-4724-8c8d-d50077ae5e1a
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581333): avc: denied { bind } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581333): arch=x86_64 syscall=bind success=yes exit=0 a0=97 a1=35eabe384a10 a2=c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,bind
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from getattr access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed getattr access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 889a731e-830f-4ae8-8a66-bfdb0532629e
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581334): avc: denied { getattr } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581334): arch=x86_64 syscall=getsockname success=yes exit=0 a0=97 a1=7fe1ed085490 a2=7fe1ed08548c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,getattr
linux centos security selinux chrome
asked 15 mins ago
turrican_34turrican_34
62
add a comment |
0
0
0
I need to run Chromium via Puppeteer in the browser but I am getting a few SElinux alerts. If I create an audit2allow module for the alerts, the alerts disappear but Chromium still does not run. As soon as I set SElinux back to permissive mode Chromium runs again.
I'm not sure what to do here. How can I fix the errors below so I can use SElinux in enforcing mode?
I can also get Chromium working if I set httpd to permissive while SElinux is still in enforcing mode with semanage permissive -a httpd_t, but I'm guessing the is a big security issue?
All the SElinux alerts are in the /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome directory so I guess I need to give these directory/files a particular label but which one?
OS: CentOS 7.6
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 7
First Seen 2019-03-02 16:33:12 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID ff2cf4a9-6788-4027-8986-fc1db4f026b3
Raw Audit Messages
type=AVC msg=audit(1551618018.451:581328): avc: denied { sys_admin } for pid=15865 comm="chrome" capability=21 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.451:581328): arch=x86_64 syscall=open success=yes exit=ECONNREFUSED a0=559709404bb0 a1=1 a2=20 a3=7ffe9f76fba0 items=0 ppid=15863 pid=15865 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_admin
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_ptrace capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 195b1636-4c46-47b9-92d2-19323a2e05a8
Raw Audit Messages
type=AVC msg=audit(1551618018.527:581330): avc: denied { sys_ptrace } for pid=15863 comm="chrome" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.527:581330): arch=x86_64 syscall=read success=yes exit=364 a0=70 a1=35eabe34f000 a2=10000 a3=22 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_ptrace
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from create access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed create access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 9e4b0c7f-78a5-4585-be26-db09f9309f6f
Raw Audit Messages
type=AVC msg=audit(1551618018.602:581331): avc: denied { create } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.602:581331): arch=x86_64 syscall=socket success=yes exit=151 a0=10 a1=80803 a2=f a3=35eabe431060 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,create
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from setopt access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed setopt access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 59f8fbbf-0ce1-4dd3-94ff-8fd5eb13696f
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581332): avc: denied { setopt } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581332): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=97 a1=1 a2=1a a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,setopt
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from bind access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed bind access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID b50937b0-a30a-4724-8c8d-d50077ae5e1a
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581333): avc: denied { bind } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581333): arch=x86_64 syscall=bind success=yes exit=0 a0=97 a1=35eabe384a10 a2=c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,bind
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from getattr access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed getattr access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 889a731e-830f-4ae8-8a66-bfdb0532629e
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581334): avc: denied { getattr } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581334): arch=x86_64 syscall=getsockname success=yes exit=0 a0=97 a1=7fe1ed085490 a2=7fe1ed08548c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,getattr
linux centos security selinux chrome
asked 15 mins ago
turrican_34turrican_34
62
I need to run Chromium via Puppeteer in the browser but I am getting a few SElinux alerts. If I create an audit2allow module for the alerts, the alerts disappear but Chromium still does not run. As soon as I set SElinux back to permissive mode Chromium runs again.
I'm not sure what to do here. How can I fix the errors below so I can use SElinux in enforcing mode?
I can also get Chromium working if I set httpd to permissive while SElinux is still in enforcing mode with semanage permissive -a httpd_t, but I'm guessing the is a big security issue?
All the SElinux alerts are in the /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome directory so I guess I need to give these directory/files a particular label but which one?
OS: CentOS 7.6
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 7
First Seen 2019-03-02 16:33:12 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID ff2cf4a9-6788-4027-8986-fc1db4f026b3
Raw Audit Messages
type=AVC msg=audit(1551618018.451:581328): avc: denied { sys_admin } for pid=15865 comm="chrome" capability=21 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.451:581328): arch=x86_64 syscall=open success=yes exit=ECONNREFUSED a0=559709404bb0 a1=1 a2=20 a3=7ffe9f76fba0 items=0 ppid=15863 pid=15865 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_admin
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from using the sys_ptrace capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chrome' --raw | audit2allow -M my-chrome
# semodule -i my-chrome.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ capability ]
Source chrome
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 195b1636-4c46-47b9-92d2-19323a2e05a8
Raw Audit Messages
type=AVC msg=audit(1551618018.527:581330): avc: denied { sys_ptrace } for pid=15863 comm="chrome" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551618018.527:581330): arch=x86_64 syscall=read success=yes exit=364 a0=70 a1=35eabe34f000 a2=10000 a3=22 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=chrome exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: chrome,httpd_t,httpd_t,capability,sys_ptrace
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from create access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed create access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 9e4b0c7f-78a5-4585-be26-db09f9309f6f
Raw Audit Messages
type=AVC msg=audit(1551618018.602:581331): avc: denied { create } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.602:581331): arch=x86_64 syscall=socket success=yes exit=151 a0=10 a1=80803 a2=f a3=35eabe431060 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,create
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from setopt access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed setopt access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 59f8fbbf-0ce1-4dd3-94ff-8fd5eb13696f
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581332): avc: denied { setopt } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581332): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=97 a1=1 a2=1a a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,setopt
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from bind access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed bind access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID b50937b0-a30a-4724-8c8d-d50077ae5e1a
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581333): avc: denied { bind } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581333): arch=x86_64 syscall=bind success=yes exit=0 a0=97 a1=35eabe384a10 a2=c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,bind
SELinux is preventing /var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome from getattr access on the netlink_kobject_uevent_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chrome should be allowed getattr access on netlink_kobject_uevent_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'Chrome_IOThread' --raw | audit2allow -M my-ChromeIOThread
# semodule -i my-ChromeIOThread.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ netlink_kobject_uevent_socket ]
Source Chrome_IOThread
Source Path /var/www/html/node_modules/puppeteer/.local-
chromium/linux-624492/chrome-linux/chrome
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2019-03-02 16:32:26 GMT
Last Seen 2019-03-03 13:00:18 GMT
Local ID 889a731e-830f-4ae8-8a66-bfdb0532629e
Raw Audit Messages
type=AVC msg=audit(1551618018.603:581334): avc: denied { getattr } for pid=15863 comm="Chrome_IOThread" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
type=SYSCALL msg=audit(1551618018.603:581334): arch=x86_64 syscall=getsockname success=yes exit=0 a0=97 a1=7fe1ed085490 a2=7fe1ed08548c a3=7fe1ed084420 items=0 ppid=15848 pid=15863 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=Chrome_IOThread exe=/var/www/html/node_modules/puppeteer/.local-chromium/linux-624492/chrome-linux/chrome subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: Chrome_IOThread,httpd_t,httpd_t,netlink_kobject_uevent_socket,getattr
linux centos security selinux chrome
linux centos security selinux chrome
asked 15 mins ago
turrican_34turrican_34
62
asked 15 mins ago
turrican_34turrican_34
62
asked 15 mins ago
turrican_34turrican_34
62
asked 15 mins ago
turrican_34turrican_34
62
asked 15 mins ago
turrican_34turrican_34
62
62
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956822%2fchromium-and-selinux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956822%2fchromium-and-selinux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
