Subject: | |
From: | |
Reply To: | |
Date: | Thu, 22 Sep 2011 09:24:17 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 2011-09-22 7:21, Kay Diederichs wrote:
> Dear all,
>
> we installed google-chrome-stable-14.0.835.186-101821.x86_64 on both the
> NFSv4 clients, and the file server of our SL 6.1 cluster.
>
> On the NFS clients, Chrome cannot display certain webpages (e.g. the
> https://docs.google.com/?pli=1#owned-by-me page, nor the user's Google
> calendar); just the "Aw, snap" page is shown which indicates a problem.
> I found that "setenforce 0" on the client gets rid of the problem, but
> disabling SELinux is not an option.
>
> Weird enough, there is no proper setroubleshoot message in
> /var/log/messages on the clients when this occurs. But I find in
> /var/log/audit/audit.log the following:
>
> [root@client ~]# grep chrome /var/log/audit/audit.log | tail -1
> type=SYSCALL msg=audit(1316684717.865:39632): arch=c000003e syscall=56
> success=yes exit=0 a0=60000011 a1=0 a2=0 a3=0 items=0 ppid=4628 pid=4629
> auid=1110 uid=1110 gid=20 euid=0 suid=0 fsuid=0 egid=20 sgid=20 fsgid=20
> tty=(none) ses=4 comm="chrome-sandbox"
> exe="/opt/google/chrome/chrome-sandbox"
> subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
> I tried to feed this into audit2allow but get an error message.
audit2allow needs the corresponding AVC denial; the SYSCALL message
doesn't contain enough information. When searching for denials that
happened within the past few minutes I suggest using ``ausearch
--success no --start recent''. Its output is suitable for piping to
audit2why or audit2allow.
--
Garrett Holmstrom
|
|
|