Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 465574 - chromium-27.0.1453 with SELinux support forced disabled fails
Summary: chromium-27.0.1453 with SELinux support forced disabled fails
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard: sec-policy r1
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-11 18:42 UTC by Sven Vermeulen (RETIRED)
Modified: 2013-06-16 17:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2013-04-11 18:42:05 UTC 
I disabled selinux support in chromium as I couldn't get it to work at all (regardless of policy). By switching back to the "regular" mode, I know I can now update the policy to make it supported.

I opt for this method instead of the "build-in SELinux support" as, from what I read on the Internet, the SELinux-support in chromium is actually /not/ supported (just provided as-is).

I'll leave in the chromium_renderer_t support in the policy, but will try to get the regular installation confined as well (with the standard zygote sandbox).

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-11 18:43:53 UTC 
Starting chromium:

$ chromium
LaunchProcess: failed to execvp:
/usr/lib64/chromium-browser/chrome_sandbox

In the denial logs, we notice that chrome_sandbox is not labeled correctly. Labeling it as bin_t yields:

$ chromium
Failed to move to new PID namespace: Operation not permitted

In the AVC denials, it shows that we need sys_admin capability. okay...

$ chromium
Setting RLIMIT_NOFILE: Permission denied
[1:1:0411/203220:ERROR:setuid_sandbox_client.cc(124)] Failed to write to chroot pipe: Broken pipe
[1:1:0411/203220:FATAL:zygote_main_linux.cc(479)] Failed to enter sandbox. Fail safe abort. (errno: 32)

Now needs setuid/setgit and a couple of other. However, I'm now taking a step back and will create a chromium_sandbox_t domain for the chrome_sandbox binary. Don't feel too good to grant the entire chromium_t domain those privileges if I can isolate it.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2013-04-11 20:13:11 UTC 
I just pushed out the necessary changes to get things to work. It provides two additional SELinux domains, one for the sandbox and one for the nacl_helper.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-04-26 23:47:32 UTC 
I've found a workaround: launch chromium with --no-sandbox.

Given that it's confined by SELinux, it's not as bad as it may sound. Still, I'd like to fix the underlying cause, but the above gives some clue about what is happening.
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-05-01 21:31:31 UTC 
FYI:

  01 May 2013; Pawel Hajdan jr
  chromium-27.0.1453.65.ebuild, chromium-28.0.1490.2.ebuild,
  chromium-9999-r1.ebuild:
  Disable unmaintained upstream SELinux mode, bug #465574 by swift, bug #467954
  by Dominik Kriegner.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2013-05-06 18:26:33 UTC 
In main tree,  ~arch'ed (20130424-r1 release)
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2013-06-16 17:57:34 UTC 
Now stable in repo