Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   testing selinux-chromium, problem with xdg file contexts (http://www.linux-archive.org/gentoo-hardened/707015-testing-selinux-chromium-problem-xdg-file-contexts.html)

"PaweĊ‚ Hajdan, Jr." 09-24-2012 06:53 PM

testing selinux-chromium, problem with xdg file contexts
 
I installed selinux-chromium for testing, and chromium failed to start
in SELinux enforcing mode:

$ chromium
[2557:2557:1727940797:ERROR:process_singleton_linux .cc(263)] Failed to
create /home/ph/.config/chromium/SingletonLock: Permission denied
[2557:2557:1727941544:ERROR:chrome_browser_main.cc( 1552)] Failed to
create a ProcessSingleton for your profile directory. This means that
running multiple instances would start multiple browser processes rather
than opening a new window in the existing process. Aborting now to avoid
profile corruption.

audit messages:

# audit2allow -d
#============= chromium_t ==============
allow chromium_t xdg_config_home_t:file create;
allow chromium_t xdg_config_home_t:lnk_file { read create };

[ 107.872466] type=1400 audit(1348505952.982:67): avc: denied { read
} for pid=2166 comm="chrome" name="SingletonLock" dev="sda1" ino=522327
scontext=unconfined_u:unconfined_r:chromium_t
tcontext=unconfined_u:object_r:xdg_config_home_t tclass=lnk_file
[ 107.873916] type=1400 audit(1348505952.983:68): avc: denied {
create } for pid=2178 comm="Chrome_FileThre"
name=".org.chromium.Chromium.ZO3dGF"
scontext=unconfined_u:unconfined_r:chromium_t
tcontext=unconfined_u:object_r:xdg_config_home_t tclass=file

Now the problem is these files should have context
chromium_xdg_config_t, but have xdg_config_home_t. Even deleting
$HOME/.config/chromium and $HOME/.cache/chromium doesn't help.

$ ls -lZd ~/.config/chromium/
drwx------. 2 ph ph unconfined_u:object_r:xdg_config_home_t 4096 Sep 24
19:22 /home/ph/.config/chromium/

I also tried "restorecon -R -F /home/ph", but that didn't help either.
Here are relevant lines from
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:

/home/[^/]*/.cache/chromium(/.*)
unconfined_u:object_r:chromium_xdg_cache_t
/home/[^/]*/.config/chromium(/.*)
unconfined_u:object_r:chromium_xdg_config_t

Just in case, here is the state of my chromium SELinux booleans:

# semanage boolean -l | grep chromium
chromium_manage_user_content (off , off) Allow chromium to write
(manage) user content
chromium_read_user_content (on , on) Allow chromium to read
user content
chromium_read_system_info (off , off) Allow chromium to read
system information
chromium_use_java (off , off) Allow the use of java plugins

Note that the problem also occurs when setting
chromium_manage_user_content to on.

What are further steps I should take to debug the issue?


All times are GMT. The time now is 10:25 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.