-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2011 11:43 AM, Genes MailLists wrote: > On 01/21/2011 11:31 AM, Daniel J Walsh wrote: > . >> >> I think it has something about namespaces. >> If you run >> >> sandbox -X -t sandbox_web_t xterm >> >> Then launch chromium-browser from within the xterm, it complains about >> >> Failed to move to new PID namespace:Operation not permitted. >> >> Even in permissive mode. >> >> I think this indicates that chromium tried to launch the >> chromium-sandbox from within the SELinux sandbox. and the >> chromium-sandbox wants to use its own namespace and this is not allowed. >> >> So I guess this means you can not run chromium within a sandbox -X >> environment. >> >> sandbox -X -t sandbox_web_t firefox >> >> Should work... > > I should have thought to try that ... glad you did :-) > > Its really unfortunate it doesn't work tho ... this is such a great > feature .. anyway around this ? Any chance of tagging up with google > chrome developers to find a solution ? > > I don't understand because I am ignorant in large part on selinux > details - does chrome want to transition to a new selinux type ? Can we > make that namespace 'equivalent' to sandbox_web_t or some way to make > the transition allowed without really leaving your sandbox? Sorry if its > a dumb question .. > No it is not really an SELinux issue. sandbox is a lot more then SELinux. sandbox creates a new namespace and then mounts tmp files on ~/ and /tmp, which changes the namespace layout. I think calling namespace from a namespace might be causing the problem. But I am not sure. We could open a conversation with the chromium developers to see if they know what is going on. I think we can try to run seunshare chromium-browser and take SELinux out of the equation all together. seunshare is the tool sandbox -X is calling to create the new namespace and mount the dirs. > > > Good that firefox works, but chrome is growing really fast ... be > good to find a way to make this fly ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk05uTAACgkQrlYvE4MpobPViwCgnioc2qbv7j56CTtAoesXtVp8 GuAAoIxtDXxVPTf+zGK+v0khyWjulxBA =27hM -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
