<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Did you run the restorecon command?<br>
<br>
It looks like chrome is allowed to read files labeled home_cert_t
but might be blocked form other types.<br>
<br>
You could also turn off the chrome security using a boolean<br>
<br>
setsebool -P unconfined_chrome_sandbox_transition 1<br>
<br>
Which would do the equivalent of what you did in relabelling the
executable to bin_t.<br>
<br>
<div class="moz-cite-prefix">On 10/27/2014 04:07 AM, Gian Luca
Ortelli wrote:<br>
</div>
<blockquote
cite="mid:CA+HEA+pg1KBe7ni5e1uHjaEufUKqLOR7F6Q791Y=kes28=jTcw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>my original fix was more coarse grained than this: I set
the type of the chrome-sandbox to the generic SELinux
executable (was it bin_t?).</div>
<div><br>
</div>
<div>Anyway, I tried your suggestion (a chrome update broke my
fix several days ago, and I was back to 'setenforce 0' mode)
and it also solves the problem.</div>
<div><br>
</div>
<div>Any ideas on why I don't get an explicit error message?
Something like 'selinux is preventing chrome-sandbox from
accessing .pki'? Or is the problem too indirect for selinux to
figure out what's going wrong exactly?</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr">Kind regards,
<div> Gianluca Ortelli</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Oct 24, 2014 at 7:22 PM, Daniel
J Walsh <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> <br>
<div>On 10/23/2014 02:28 AM, Gian Luca Ortelli wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div
style="font-family:arial,sans-serif;font-size:13px">Hi,</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">I
recently had to do some selinux tuning to have
chrome correctly start on my fedora 20 box. I
googled around and eventually found the correct
type to apply to the chrome executable in order
to make it work.</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">So
the problem is solved, but the error messages
that I got were much less informative than I
expected. After watching <a
moz-do-not-send="true"
href="https://www.youtube.com/watch?v=MxjenQ31b70"
target="_blank">https://www.youtube.com/watch?v=MxjenQ31b70</a> on
selinux configuration, I was expecting messages
in a format like "selinux is preventing X from
access on directoy Y", but instead...</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">'journal
-f' provided nothing useful; 'tail -f
/var/log/audit/audit.log' showed a couple of log
lines which actually mentioned chrome, but in
too generic a manner (see below):</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">--------------------------------------</div>
<div
style="font-family:arial,sans-serif;font-size:13px">
<div>type=SYSCALL msg=audit(1413532031.170:387):
arch=c000003e syscall=56 success=yes exit=2394
a0=60000011 a1=0 a2=0 a3=0 items=0 ppid=2382
pid=2393 auid=1000 uid=1000 gid=1000 euid=0
suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000
tty=(none) ses=1 comm="chrome-sandbox"
exe="/opt/google/chrome/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
key=(null)</div>
<div>type=PROCTITLE
msg=audit(1413532031.170:387):
proctitle=2F6F70742F676F6F676C652F6368726F6D652F6368726F6D652D73616E64626F78002F6F70742F676F6F676C652F6368726F6D652F6368726F6D65002D2D747970653D7A79676F7465</div>
<div>type=ANOM_ABEND
msg=audit(1413532031.195:388): auid=1000
uid=1000 gid=1000 ses=1
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
pid=2394 comm="chrome"
exe="/opt/google/chrome/chrome" sig=11</div>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">--------------------------------------<br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">Before
I fixed the problem, launching google-chrome
from command line resulted in an error message
about the impossibility of creating
directory .pki/nssdb in my home. No mention of
this directory name in the audit.</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">And
to finish, the SELinux troubleshooting tool
didn't show anything at all.</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:13px">Why
don't I see a richer diagnostics? Am I missing
some configuration?</div>
<div
style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<br
style="font-family:arial,sans-serif;font-size:13px"
clear="all">
<div
style="font-family:arial,sans-serif;font-size:13px">
<div dir="ltr">Kind regards,
<div> Gianluca Ortelli</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
What exactly did you do to fix the problem? Did you have
to fix the labels on .pki? restorecon -R -v ~/.pki<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>