On 2011-09-22 7:21, Kay Diederichs wrote:
Dear all,
we installed google-chrome-stable-14.0.835.186-101821.x86_64 on both the
NFSv4 clients, and the file server of our SL 6.1 cluster.
On the NFS clients, Chrome cannot display certain webpages (e.g. the
https://docs.google.com/?pli=1#owned-by-me page, nor the user's Google
calendar); just the "Aw, snap" page is shown which indicates a problem.
I found that "setenforce 0" on the client gets rid of the problem, but
disabling SELinux is not an option.
Weird enough, there is no proper setroubleshoot message in
/var/log/messages on the clients when this occurs. But I find in
/var/log/audit/audit.log the following:
[root@client ~]# grep chrome /var/log/audit/audit.log | tail -1
type=SYSCALL msg=audit(1316684717.865:39632): arch=c000003e syscall=56
success=yes exit=0 a0=60000011 a1=0 a2=0 a3=0 items=0 ppid=4628 pid=4629
auid=1110 uid=1110 gid=20 euid=0 suid=0 fsuid=0 egid=20 sgid=20 fsgid=20
tty=(none) ses=4 comm="chrome-sandbox"
exe="/opt/google/chrome/chrome-sandbox"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
I tried to feed this into audit2allow but get an error message.
audit2allow needs the corresponding AVC denial; the SYSCALL message
doesn't contain enough information. When searching for denials that
happened within the past few minutes I suggest using ``ausearch
--success no --start recent''. Its output is suitable for piping to
audit2why or audit2allow.
--
Garrett Holmstrom
