[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is it possible to run chromium in a SELinux sandbox?



This thread went offline, however to bring things back online, it appears at least the binary download (running on SL6) of Firefox 5 just released does not work in the sandbox either.  The SELinux audit messages are:

Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in class dir not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class dir not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in class lnk_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission open in class lnk_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class lnk_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in class chr_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in class blk_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class blk_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in class sock_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class sock_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in class fifo_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class fifo_file not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux:  Permission syslog in class capability2 not defined in policy.
Jun 22 21:40:22 localhost kernel: SELinux: the above unknown classes and permissions will be allowed
Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration

The sandbox window starts up but crashes before any sign of FF materialises, works fine in permissive mode or unsandboxed otherwise.  I've put the FF binaries in /opt.

On 19 June 2011 17:53, Dominick Grift <domg472@xxxxxxxxx> wrote:


On Sun, 2011-06-19 at 13:57 +0100, GSO wrote:
> The default build using the google repos results in chromium grinding to a
> halt with a black window when run in a sandbox.  Is it technically possible
> to run chrome in a sandbox, would building from source fix this at all?

I do not think it will work since both sandbox an chrome use namespace
and chrome cant run if sandbox already runs in a namespace (or something
along those lines is my understanding if this issue)

> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net