[gentoo-hardened] testing selinux-chromium, problem with xdg file contexts

Mon, 24 Sep 2012 11:53:47 -0700 

I installed selinux-chromium for testing, and chromium failed to start
in SELinux enforcing mode:

$ chromium
[2557:2557:1727940797:ERROR:process_singleton_linux.cc(263)] Failed to
create /home/ph/.config/chromium/SingletonLock: Permission denied
[2557:2557:1727941544:ERROR:chrome_browser_main.cc(1552)] Failed to
create a ProcessSingleton for your profile directory. This means that
running multiple instances would start multiple browser processes rather
than opening a new window in the existing process. Aborting now to avoid
profile corruption.

audit messages:

# audit2allow -d
#============= chromium_t ==============
allow chromium_t xdg_config_home_t:file create;
allow chromium_t xdg_config_home_t:lnk_file { read create };

[  107.872466] type=1400 audit(1348505952.982:67): avc:  denied  { read
} for  pid=2166 comm="chrome" name="SingletonLock" dev="sda1" ino=522327
scontext=unconfined_u:unconfined_r:chromium_t
tcontext=unconfined_u:object_r:xdg_config_home_t tclass=lnk_file
[  107.873916] type=1400 audit(1348505952.983:68): avc:  denied  {
create } for  pid=2178 comm="Chrome_FileThre"
name=".org.chromium.Chromium.ZO3dGF"
scontext=unconfined_u:unconfined_r:chromium_t
tcontext=unconfined_u:object_r:xdg_config_home_t tclass=file

Now the problem is these files should have context
chromium_xdg_config_t, but have xdg_config_home_t. Even deleting
$HOME/.config/chromium and $HOME/.cache/chromium doesn't help.

$ ls -lZd ~/.config/chromium/
drwx------. 2 ph ph unconfined_u:object_r:xdg_config_home_t 4096 Sep 24
19:22 /home/ph/.config/chromium/

I also tried "restorecon -R -F /home/ph", but that didn't help either.
Here are relevant lines from
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:

/home/[^/]*/.cache/chromium(/.*)
unconfined_u:object_r:chromium_xdg_cache_t
/home/[^/]*/.config/chromium(/.*)
unconfined_u:object_r:chromium_xdg_config_t

Just in case, here is the state of my chromium SELinux booleans:

# semanage boolean -l | grep chromium
chromium_manage_user_content   (off  ,  off)  Allow chromium to write
(manage) user content
chromium_read_user_content     (on   ,   on)  Allow chromium to read
user content
chromium_read_system_info      (off  ,  off)  Allow chromium to read
system information
chromium_use_java              (off  ,  off)  Allow the use of java plugins

Note that the problem also occurs when setting
chromium_manage_user_content to on.

What are further steps I should take to debug the issue?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to