-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/23/2011 06:25 PM, GSO wrote: > On 23 June 2011 13:22, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 06/23/2011 06:29 AM, GSO wrote: > > This thread went offline, however to bring things back online, it > > appears at least the binary download (running on SL6) of Firefox 5 > just > > released does not work in the sandbox either. The SELinux audit > > messages are: > > > > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > > class dir not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in > class > > dir not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > > class lnk_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission open in class > > lnk_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in > class > > lnk_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > > class chr_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > > class blk_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in > class > > blk_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > > class sock_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in > class > > sock_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in > > class fifo_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in > class > > fifo_file not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: Permission syslog in class > > capability2 not defined in policy. > > Jun 22 21:40:22 localhost kernel: SELinux: the above unknown > classes and > > permissions will be allowed > > Jun 22 21:40:24 localhost dbus: avc: received policyload notice > (seqno=5) > > Jun 22 21:40:24 localhost dbus: avc: received policyload notice > (seqno=5) > > Jun 22 21:40:24 localhost dbus: avc: received policyload notice > (seqno=5) > > Jun 22 21:40:24 localhost dbus: avc: received policyload notice > (seqno=5) > > Jun 22 21:40:24 localhost dbus: avc: received policyload notice > (seqno=5) > > Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration > > > > The sandbox window starts up but crashes before any sign of FF > > materialises, works fine in permissive mode or unsandboxed otherwise. > > I've put the FF binaries in /opt. > > > > On 19 June 2011 17:53, Dominick Grift <domg472@xxxxxxxxx > <mailto:domg472@xxxxxxxxx> > > <mailto:domg472@xxxxxxxxx <mailto:domg472@xxxxxxxxx>>> wrote: > > > > > > > > On Sun, 2011-06-19 at 13:57 +0100, GSO wrote: > > > The default build using the google repos results in chromium > > grinding to a > > > halt with a black window when run in a sandbox. Is it > technically > > possible > > > to run chrome in a sandbox, would building from source fix > this at > > all? > > > > I do not think it will work since both sandbox an chrome use > namespace > > and chrome cant run if sandbox already runs in a namespace (or > something > > along those lines is my understanding if this issue) > > > > > -- > > > selinux mailing list > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> > > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>> > > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > > > > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > I looked for firefox5 x86_64 and did not quickly find it, if you know > where there is a link, I will look into what is going on, otherwise I > will wait until Fedora Packages it. It does seem strange that you are > getting those > > Permission audit_access in class sock_file not defined in policy. > > errors, What OS are you using? What kernel? > > > That was Scientific Linux 6, I was also running Tor (through openvpn), > so that might have complicated matters. I had also been messing around > with Tor to get it to send all net traffic through tor, and the install > was tainted at that point (I never was able to get that to work, similar > SELInux audit errors to the above funnily enough). I had also built and > installed the latest kernel as I have to do to get my webcams working (2 > cams I have do not work with the default RHEL6 kernel). > > However I've just installed the Fedora security spin, should be an > untainted install (I am 'under attack' here!), Firefox 5 likewise > crashes, though with no SELinux audit messages in /var/log/messages as > far as I can see (just a few 'received policyload notice' lines). > > Likewise chromium grinds to a halt at the usual black background, no > SELinux audit messages again, not even the 'policyload' notice ones > (assuming I've got it set up properly to report them). > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Well I know Chrome does not run under the sandbox. On firefox5 try to turn off dontaudit rules and see if it generates any AVC messages # semodule -DB > sandbox -X -t sandbox_web_t -W metacity firefox5 # ausearch -m avc -ts recent # semodule -B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4EiYsACgkQrlYvE4MpobPiHQCeN8yaz5s1haT1OnwietbvFVAJ Q6IAoIRkXxwPRVbQlR7J0phZAfm3prFS =Pmm6 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
