<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Did you run the restorecon command?<br>

    <br>

    It looks like chrome is allowed to read files labeled home_cert_t

    but might be blocked form other types.<br>

    <br>

    You could also turn off the chrome security using a boolean<br>

    <br>

    setsebool -P unconfined_chrome_sandbox_transition 1<br>

    <br>

    Which would do the equivalent of what you did in relabelling the

    executable to bin_t.<br>

     <br>

    <div class="moz-cite-prefix">On 10/27/2014 04:07 AM, Gian Luca

      Ortelli wrote:<br>

    </div>

    <blockquote

cite="mid:CA+HEA+pg1KBe7ni5e1uHjaEufUKqLOR7F6Q791Y=kes28=jTcw@mail.gmail.com"

      type="cite">

      <div dir="ltr">Hi,

        <div><br>

        </div>

        <div>my original fix was more coarse grained than this: I set

          the type of the chrome-sandbox to the generic SELinux

          executable (was it bin_t?).</div>

        <div><br>

        </div>

        <div>Anyway, I tried your suggestion (a chrome update broke my

          fix several days ago, and I was back to 'setenforce 0' mode)

          and it also solves the problem.</div>

        <div><br>

        </div>

        <div>Any ideas on why I don't get an explicit error message?

          Something like 'selinux is preventing chrome-sandbox from

          accessing .pki'? Or is the problem too indirect for selinux to

          figure out what's going wrong exactly?</div>

      </div>

      <div class="gmail_extra"><br clear="all">

        <div>

          <div dir="ltr">Kind regards,

            <div>  Gianluca Ortelli</div>

          </div>

        </div>

        <br>

        <div class="gmail_quote">On Fri, Oct 24, 2014 at 7:22 PM, Daniel

          J Walsh <span dir="ltr">&lt;<a moz-do-not-send="true"

              href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0

            .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div bgcolor="#FFFFFF" text="#000000">

              <div>

                <div class="h5"> <br>

                  <div>On 10/23/2014 02:28 AM, Gian Luca Ortelli wrote:<br>

                  </div>

                </div>

              </div>

              <blockquote type="cite">

                <div>

                  <div class="h5">

                    <div dir="ltr">

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">Hi,</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">I

                        recently had to do some selinux tuning to have

                        chrome correctly start on my fedora 20 box. I

                        googled around and eventually found the correct

                        type to apply to the chrome executable in order

                        to make it work.</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">So

                        the problem is solved, but the error messages

                        that I got were much less informative than I

                        expected. After watching <a

                          moz-do-not-send="true"

                          href="https://www.youtube.com/watch?v=MxjenQ31b70"

                          target="_blank">https://www.youtube.com/watch?v=MxjenQ31b70</a> on

                        selinux configuration, I was expecting messages

                        in a format like "selinux is preventing X from

                        access on directoy Y", but instead...</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">'journal

                        -f' provided nothing useful; 'tail -f

                        /var/log/audit/audit.log' showed a couple of log

                        lines which actually mentioned chrome, but in

                        too generic a manner (see below):</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">--------------------------------------</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">

                        <div>type=SYSCALL msg=audit(1413532031.170:387):

                          arch=c000003e syscall=56 success=yes exit=2394

                          a0=60000011 a1=0 a2=0 a3=0 items=0 ppid=2382

                          pid=2393 auid=1000 uid=1000 gid=1000 euid=0

                          suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000

                          tty=(none) ses=1 comm="chrome-sandbox"

                          exe="/opt/google/chrome/chrome-sandbox"

                          subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023

                          key=(null)</div>

                        <div>type=PROCTITLE

                          msg=audit(1413532031.170:387):

proctitle=2F6F70742F676F6F676C652F6368726F6D652F6368726F6D652D73616E64626F78002F6F70742F676F6F676C652F6368726F6D652F6368726F6D65002D2D747970653D7A79676F7465</div>

                        <div>type=ANOM_ABEND

                          msg=audit(1413532031.195:388): auid=1000

                          uid=1000 gid=1000 ses=1

                          subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023

                          pid=2394 comm="chrome"

                          exe="/opt/google/chrome/chrome" sig=11</div>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">--------------------------------------<br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">Before

                        I fixed the problem, launching google-chrome

                        from command line resulted in an error message

                        about the impossibility of creating

                        directory .pki/nssdb in my home. No mention of

                        this directory name in the audit.</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">And

                        to finish, the SELinux troubleshooting tool

                        didn't show anything at all.</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">Why

                        don't I see a richer diagnostics? Am I missing

                        some configuration?</div>

                      <div

                        style="font-family:arial,sans-serif;font-size:13px"><br>

                      </div>

                      <br

                        style="font-family:arial,sans-serif;font-size:13px"

                        clear="all">

                      <div

                        style="font-family:arial,sans-serif;font-size:13px">

                        <div dir="ltr">Kind regards,

                          <div>  Gianluca Ortelli</div>

                        </div>

                      </div>

                    </div>

                    <br>

                    <fieldset></fieldset>

                    <br>

                  </div>

                </div>

                <pre>--

selinux mailing list

<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>

<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>

              </blockquote>

              What exactly did you do to fix the problem?  Did you have

              to fix the labels on .pki?  restorecon -R -v ~/.pki<br>

              <br>

            </div>

          </blockquote>

        </div>

        <br>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">--

selinux mailing list

<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>

<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>

    </blockquote>

    <br>

  </body>

</html>