SELinux
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 21 16:49:52 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2011 11:43 AM, Genes MailLists wrote:
> On 01/21/2011 11:31 AM, Daniel J Walsh wrote:
> .
>>
>> I think it has something about namespaces.
>> If you run
>>
>> sandbox -X -t sandbox_web_t xterm
>>
>> Then launch chromium-browser from within the xterm, it complains about
>>
>> Failed to move to new PID namespace:Operation not permitted.
>>
>> Even in permissive mode.
>>
>> I think this indicates that chromium tried to launch the
>> chromium-sandbox from within the SELinux sandbox. and the
>> chromium-sandbox wants to use its own namespace and this is not allowed.
>>
>> So I guess this means you can not run chromium within a sandbox -X
>> environment.
>>
>> sandbox -X -t sandbox_web_t firefox
>>
>> Should work...
>
> I should have thought to try that ... glad you did :-)
>
> Its really unfortunate it doesn't work tho ... this is such a great
> feature .. anyway around this ? Any chance of tagging up with google
> chrome developers to find a solution ?
>
> I don't understand because I am ignorant in large part on selinux
> details - does chrome want to transition to a new selinux type ? Can we
> make that namespace 'equivalent' to sandbox_web_t or some way to make
> the transition allowed without really leaving your sandbox? Sorry if its
> a dumb question ..
>
No it is not really an SELinux issue.
sandbox is a lot more then SELinux.
sandbox creates a new namespace and then mounts tmp files on ~/ and
/tmp, which changes the namespace layout.
I think calling namespace from a namespace might be causing the problem.
But I am not sure. We could open a conversation with the chromium
developers to see if they know what is going on.
I think we can try to run seunshare chromium-browser and take SELinux
out of the equation all together.
seunshare is the tool sandbox -X is calling to create the new namespace
and mount the dirs.
>
>
> Good that firefox works, but chrome is growing really fast ... be
> good to find a way to make this fly ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk05uTAACgkQrlYvE4MpobPViwCgnioc2qbv7j56CTtAoesXtVp8
GuAAoIxtDXxVPTf+zGK+v0khyWjulxBA
=27hM
-----END PGP SIGNATURE-----
More information about the users
mailing list