Is it possible to run chromium in a SELinux sandbox?

Daniel J Walsh dwalsh at redhat.com
Thu Jun 23 12:22:47 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 06:29 AM, GSO wrote:
> This thread went offline, however to bring things back online, it
> appears at least the binary download (running on SL6) of Firefox 5 just
> released does not work in the sandbox either.  The SELinux audit
> messages are:
> 
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission open in class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class chr_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission syslog in class
> capability2 not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: the above unknown classes and
> permissions will be allowed
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration
> 
> The sandbox window starts up but crashes before any sign of FF
> materialises, works fine in permissive mode or unsandboxed otherwise.
>  I've put the FF binaries in /opt.
> 
> On 19 June 2011 17:53, Dominick Grift <domg472 at gmail.com
> <mailto:domg472 at gmail.com>> wrote:
> 
> 
> 
>     On Sun, 2011-06-19 at 13:57 +0100, GSO wrote:
>     > The default build using the google repos results in chromium
>     grinding to a
>     > halt with a black window when run in a sandbox.  Is it technically
>     possible
>     > to run chrome in a sandbox, would building from source fix this at
>     all?
> 
>     I do not think it will work since both sandbox an chrome use namespace
>     and chrome cant run if sandbox already runs in a namespace (or something
>     along those lines is my understanding if this issue)
> 
>     > --
>     > selinux mailing list
>     > selinux at lists.fedoraproject.org
>     <mailto:selinux at lists.fedoraproject.org>
>     > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

I looked for firefox5 x86_64 and did not quickly find it, if you know
where there is a link, I will look into what is going on, otherwise I
will wait until Fedora Packages it.  It does seem strange that you are
getting those

 Permission audit_access in class sock_file not defined in policy.

errors, What OS are you using?  What kernel?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DMBcACgkQrlYvE4MpobMJCACgy6ZiWfFmuOIjpeyAC/aIUTi0
fZkAnRadq7pW+O1/DKN35gvhfPblbuxm
=yBK/
-----END PGP SIGNATURE-----

More information about the selinux mailing list