[sandbox] non permanent '-H'
Daniel J Walsh
dwalsh at redhat.com
Tue May 24 15:36:01 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/24/2011 11:33 AM, Genes MailLists wrote:
> On 05/24/2011 11:17 AM, Daniel J Walsh wrote:
>
>> Well chromium-browser is complaining about
>>
>> Failed to more to new PID namespace: Operation not permitted
>>
>> Even in permissive mode. I guess the problem is that chromium can not
>> run within a sandbox.
>>
>> If you execute
>>
>> mkdir -P ~/sandbox/tmp
>> mkdir -P ~/sandbox/home
>> seunshare -t ~/sandbox/tmp -h ~/sandbox/home -- /usr/bin/chromium-browser
>>
>> You will get the error.
>>
>> I am not sure you can clone within a clone...
>> --
>
>>
>
>
> Right it doesn't work for sure - I had vague recollections someone
> (you I think?) saying they might try touch base with the google folks
> about co-coordinating to try make selinux sandbox work .. that was a few
> months ago ... but dont remember when exactly ...
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Basically it looks like the clone call within the chromium-browser is
failing.
I have a feeling this has something to do wit seunshare calling
unshare(CLONE_NEWNS);
And then later chromium calling
clone(...)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk3b0GEACgkQrlYvE4MpobNMUQCgqj7qTg47ZWhCUoMQ5laIR73d
EAUAoJ806vPuMvfv2zdvWwOYF/Tuh4Q5
=OlNj
-----END PGP SIGNATURE-----
More information about the selinux
mailing list