SELinux
Genes MailLists
lists at sapience.com
Fri Jan 21 16:43:30 UTC 2011
On 01/21/2011 11:31 AM, Daniel J Walsh wrote:
.
>
> I think it has something about namespaces.
> If you run
>
> sandbox -X -t sandbox_web_t xterm
>
> Then launch chromium-browser from within the xterm, it complains about
>
> Failed to move to new PID namespace:Operation not permitted.
>
> Even in permissive mode.
>
> I think this indicates that chromium tried to launch the
> chromium-sandbox from within the SELinux sandbox. and the
> chromium-sandbox wants to use its own namespace and this is not allowed.
>
> So I guess this means you can not run chromium within a sandbox -X
> environment.
>
> sandbox -X -t sandbox_web_t firefox
>
> Should work...
I should have thought to try that ... glad you did :-)
Its really unfortunate it doesn't work tho ... this is such a great
feature .. anyway around this ? Any chance of tagging up with google
chrome developers to find a solution ?
I don't understand because I am ignorant in large part on selinux
details - does chrome want to transition to a new selinux type ? Can we
make that namespace 'equivalent' to sandbox_web_t or some way to make
the transition allowed without really leaving your sandbox? Sorry if its
a dumb question ..
Good that firefox works, but chrome is growing really fast ... be
good to find a way to make this fly ...
More information about the users
mailing list