google-chrome + selinux + ecryptfs
Pal, Laszlo
vlad at vlad.hu
Thu Jun 12 22:13:07 UTC 2014
Hi,
It seems running google-chrome on Fedora with selinux enforcing is not
an easy job :) Most of the things are working, however certain plugins
/ apps like flash and offline gmail crashes... I can see some strange
log entries in my audit log like this
node= type=SYSCALL msg=audit(1402610675.802:3612): arch=c000003e
syscall=47 success=yes exit=1 a0=12 a1=7f4cb29bb490 a2=40 a3=2 items=0
ppid=8 pid=13635 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2
comm="Chrome_ChildIOT" exe="/opt/google/chrome/chrome"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
key=(null)
node=tohuvabohu.balabit type=AVC msg=audit(1402610675.802:3613): avc:
denied { write } for pid=13634 comm="chrome"
path="/home/.ecryptfs/vlad/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSom1uZp3eGnWRADC8b67AE--/ECRYPTFS_FNEK_ENCRYPTED.FXbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gTtA3nsOQygKTjpvYs63foAeJEpmcXUfgP6gU.7wmAuY-/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7g5coEDCbOTnV-amR0ZN6y1---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gT3djTOmDHoPUHtuBzF97EU--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7geU1qaFnPHLsuy1RmqbGnBE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7glEd5RSiZ49p5vw44TzFM3E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gKBDK1Q1GxCxyo3TiIlYCnE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gmuai.t4ZEmP-LatO12SQ.E--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gIB221z5L1BsC-c-sHPGaQ---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gqsU3WtY8FrzmtcENIeC0CE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gt-ZfSVe491Z7eplRchJ3qE--/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gSHKUZ6b8Mf6vlIo3pRzAj---/ECRYPTFS_FNEK_ENCRYPTED.FWbWvaw.Yvr95kQA2hcGEJHBUib4Wf3DUd7gC2jhQP5bAQcJMOMBLlUW1U--"
dev="dm-2" ino=16123428
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:ecryptfs_t:s0 tclass=file
Is there any pre-cooked solution to run chrome in this environment and
keep selinux enforcing?
Thanks
L:
More information about the users
mailing list