LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Chrome SELinux problem on SL 6.1 64bit with NFS-mounted home directory
From:	Kay Diederichs <[log in to unmask]>
Reply To:	Kay Diederichs <[log in to unmask]>
Date:	Thu, 22 Sep 2011 16:21:50 +0200
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (2537 bytes) , smime.p7s (5 kB)

Dear all,

we installed google-chrome-stable-14.0.835.186-101821.x86_64 on both the 
NFSv4 clients, and the file server of our SL 6.1 cluster.

On the NFS clients, Chrome cannot display certain webpages (e.g. the 
https://docs.google.com/?pli=1#owned-by-me page, nor the user's Google 
calendar); just the "Aw, snap" page is shown which indicates a problem. 
I found that "setenforce 0" on the client gets rid of the problem, but 
disabling SELinux is not an option.

Weird enough, there is no proper setroubleshoot message in 
/var/log/messages on the clients when this occurs. But I find in 
/var/log/audit/audit.log the following:

[root@client ~]#  grep chrome /var/log/audit/audit.log | tail -1
type=SYSCALL msg=audit(1316684717.865:39632): arch=c000003e syscall=56 
success=yes exit=0 a0=60000011 a1=0 a2=0 a3=0 items=0 ppid=4628 pid=4629 
auid=1110 uid=1110 gid=20 euid=0 suid=0 fsuid=0 egid=20 sgid=20 fsgid=20 
tty=(none) ses=4 comm="chrome-sandbox" 
exe="/opt/google/chrome/chrome-sandbox" 
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
I tried to feed this into audit2allow but get an error message.

/var/log/messages has the following:
Sep 22 11:23:40 client gnome-keyring-daemon[2633]: couldn't allocate 
secure memory to keep passwords and or keys from being written to the disk

No such problems exist if I start Chrome on the NFS server (which also 
has SELinux enabled).

Some googling brought up the recommendation of
restorecon -R -v ~/.config
but this didn't help - it didn't change the labels at all.

ls -dZ .config on the server is
drwx------. dikay games unconfined_u:object_r:config_home_t:s0 .config
and on the clients:
drwx------. dikay games system_u:object_r:nfs_t:s0       .config

ls -Zd .config/google-chrome gives
drwxr-xr-x. dikay games unconfined_u:object_r:config_home_t:s0 gnome-session
on the server, and
drwx------. dikay games system_u:object_r:nfs_t:s0       google-chrome/
on the clients.

The clients mount the home directories with a simple
server:/home             /home                   nfs     bg,intr
line in /etc/fstab.

Does anybody have a solution?

thanks,

Kay
-- 
Kay Diederichs                http://strucbio.biologie.uni-konstanz.de
email: [log in to unmask]    Tel +49 7531 88 4049 Fax 3183
Fachbereich Biologie, Universität Konstanz, Box M647, D-78457 Konstanz

This e-mail is digitally signed. If your e-mail client does not have the
necessary capabilities, just ignore the attached signature "smime.p7s".

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV