Daniel J Walsh replied
My goal is not to get into the blame game, but google-chrome requires
some strange access that I have never seen an app need before.
Basically an application chrome-sandbox needing to load the the
executable (not shared library) chrome which was not compiled with
PIC. The latest chrome browser from beta release requires mmap_zero,
which is a very dangerous access that we will not give.
If you do not want SELinux controlling chrome-sandbox you can turn
off
the boolean unconfined_chrome_sandbox_transition
setsebool -P unconfined_chrome_sandbox_transition 0
-
[root@f14 ~]# setsebool -P unconfined_chrome_sandbox_transition 0
libsemanage.dbase_llist_set: record not found in the database (No such
file or directory).
libsemanage.dbase_llist_set: could not set record value (No such file
or directory).
Could not change boolean unconfined_chrome_sandbox_transition
Could not change policy booleans
so that failed; all greek to me.
>
http://fedoraproject.org/wiki/Chromium
The link above has a version of chrome, specially built for Fedora
which should work fine with SELinux.
Daniel, I will keep this as a fallback solution
-------
Lancebaynes87 replied
give this out with root:
semanage fcontext -a -s system_u -t usr_t /opt/google/chrome/chrome-sandbox
restorecon -v /opt/google/chrome/chrome-sandbox
[root@f14 ~]# restorecon -v /opt/google/chrome/chrome-sandbox
restorecon reset /opt/google/chrome/chrome-sandbox context
system_u:object_r:chrome_sandbox_exec_t:s0->system_u:object_r:usr_t:s0
Now, chrome comes up!
Thanks to Daniel for the explanation, even tho my understanding is weak-to-nil.
Thanks to Lance for the fix!
Jack