SELinux

Daniel J Walsh dwalsh at redhat.com
Fri Jan 21 16:49:52 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2011 11:43 AM, Genes MailLists wrote:
> On 01/21/2011 11:31 AM, Daniel J Walsh wrote:
> .
>>
>> I think it has something about namespaces.
>> If you run
>>
>> sandbox -X -t sandbox_web_t xterm
>>
>> Then launch chromium-browser from within the xterm, it complains about
>>
>> Failed to move to new PID namespace:Operation not permitted.
>>
>> Even in permissive mode.
>>
>> I think this indicates that chromium tried to launch the
>> chromium-sandbox from within the SELinux sandbox. and the
>> chromium-sandbox wants to use its own namespace and this is not allowed.
>>
>> So I guess this means you can not run chromium within a sandbox -X
>> environment.
>>
>> sandbox -X -t sandbox_web_t firefox
>>
>> Should work...
> 
>     I should have thought to try that ... glad you did :-)
> 
>    Its really unfortunate it doesn't work tho ... this is such a great
> feature .. anyway around this ? Any chance of tagging up with google
> chrome developers to find a solution ?
> 
>    I don't understand because I am ignorant in large part on selinux
> details - does chrome want to transition to a new selinux type ? Can we
> make that namespace 'equivalent' to sandbox_web_t or some way to make
> the transition allowed without really leaving your sandbox? Sorry if its
> a dumb question ..
> 
No it is not really an SELinux issue.

sandbox is a lot more then SELinux.

sandbox creates a new namespace and then mounts tmp files on ~/ and
/tmp, which changes the namespace layout.

I think calling namespace from a namespace might be causing the problem.
 But I am not sure.  We could open a conversation with the chromium
developers to see if they know what is going on.

I think we can try to run seunshare chromium-browser and take SELinux
out of the equation all together.

seunshare is the tool sandbox -X is calling to create the new namespace
and mount the dirs.



> 
> 
>    Good that firefox works, but chrome is growing really fast ... be
> good to find a way to make this fly ...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk05uTAACgkQrlYvE4MpobPViwCgnioc2qbv7j56CTtAoesXtVp8
GuAAoIxtDXxVPTf+zGK+v0khyWjulxBA
=27hM
-----END PGP SIGNATURE-----

More information about the users mailing list