[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Is it possible to run chromium in a SELinux sandbox?

On 23 June 2011 13:22, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 06:29 AM, GSO wrote:
> This thread went offline, however to bring things back online, it
> appears at least the binary download (running on SL6) of Firefox 5 just
> released does not work in the sandbox either.  The SELinux audit
> messages are:
>
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission open in class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class chr_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission audit_access in
> class fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission execmod in class
> fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux:  Permission syslog in class
> capability2 not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: the above unknown classes and
> permissions will be allowed
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: avc:  received policyload notice (seqno=5)
> Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration
>
> The sandbox window starts up but crashes before any sign of FF
> materialises, works fine in permissive mode or unsandboxed otherwise.
>  I've put the FF binaries in /opt.
>
> On 19 June 2011 17:53, Dominick Grift <domg472@xxxxxxxxx
> <mailto:domg472@xxxxxxxxx>> wrote:
>
>
>
>     On Sun, 2011-06-19 at 13:57 +0100, GSO wrote:
>     > The default build using the google repos results in chromium
>     grinding to a
>     > halt with a black window when run in a sandbox.  Is it technically
>     possible
>     > to run chrome in a sandbox, would building from source fix this at
>     all?
>
>     I do not think it will work since both sandbox an chrome use namespace
>     and chrome cant run if sandbox already runs in a namespace (or something
>     along those lines is my understanding if this issue)
>
>     > --
>     > selinux mailing list
>     > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>     <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
I looked for firefox5 x86_64 and did not quickly find it, if you know
where there is a link, I will look into what is going on, otherwise I
will wait until Fedora Packages it.  It does seem strange that you are
getting those

 Permission audit_access in class sock_file not defined in policy.

errors, What OS are you using?  What kernel?


That was Scientific Linux 6, I was also running Tor (through openvpn), so that might have complicated matters.  I had also been messing around with Tor to get it to send all net traffic through tor, and the install was tainted at that point (I never was able to get that to work, similar SELInux audit errors to the above funnily enough).  I had also built and installed the latest kernel as I have to do to get my webcams working (2 cams I have do not work with the default RHEL6 kernel).

However I've just installed the Fedora security spin, should be an untainted install (I am 'under attack' here!), Firefox 5 likewise crashes, though with no SELinux audit messages in /var/log/messages as far as I can see (just a few 'received policyload notice' lines).

Likewise chromium grinds to a halt at the usual black background, no SELinux audit messages again, not even the 'policyload' notice ones (assuming I've got it set up properly to report them).

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux
Google
  Web www.spinics.net