Hi,
I recently had to do some selinux tuning to have chrome correctly
start on my fedora 20 box. I googled around and eventually found the
correct type to apply to the chrome executable in order to make it work.
So the problem is solved, but the error messages that I got were much
less informative than I expected. After
watching
https://www.youtube.com/watch?v=MxjenQ31b70 on selinux
configuration, I was expecting messages in a format like "selinux is
preventing X from access on directoy Y", but instead...
'journal -f' provided nothing useful; 'tail -f
/var/log/audit/audit.log' showed a couple of log lines which actually
mentioned chrome, but in too generic a manner (see below):
--------------------------------------
type=SYSCALL msg=audit(1413532031.170:387): arch=c000003e syscall=56
success=yes exit=2394 a0=60000011 a1=0 a2=0 a3=0 items=0 ppid=2382
pid=2393 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000
sgid=1000 fsgid=1000 tty=(none) ses=1 comm="chrome-sandbox"
exe="/opt/google/chrome/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1413532031.170:387):
proctitle=2F6F70742F676F6F676C652F6368726F6D652F6368726F6D652D73616E64626F78002F6F70742F676F6F676C652F6368726F6D652F6368726F6D65002D2D747970653D7A79676F7465
type=ANOM_ABEND msg=audit(1413532031.195:388): auid=1000 uid=1000
gid=1000 ses=1
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
pid=2394 comm="chrome" exe="/opt/google/chrome/chrome" sig=11
--------------------------------------
Before I fixed the problem, launching google-chrome from command line
resulted in an error message about the impossibility of creating
directory .pki/nssdb in my home. No mention of this directory name in
the audit.
And to finish, the SELinux troubleshooting tool didn't show anything
at all.
Why don't I see a richer diagnostics? Am I missing some configuration?
Kind regards,
Gianluca Ortelli
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux What exactly did you do to
fix the problem? Did you have to fix the
labels on .pki? restorecon -R -v ~/.pki