Bug 1251991

Summary: SELinux is preventing Chromium from using the setcap access on a process
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Popela <tpopela>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.8CC: bgollahe, dwalsh, jkurik, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tlavigne
Target Milestone: rcKeywords: ZStream
Target Release: 6.8   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1258392 (view as bug list) Environment:
Last Closed: 2016-05-10 20:00:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1258392    

Description Tomas Popela 2015-08-10 13:11:18 UTC 
Description of problem:

The current beta version of Chromium (self build 45.0.2454.x) fails to load anything on up to date RHEL 6 as it wants to use setcap inside its SUID sandbox (to drop capabilities on a newly forked process). The change was introduced with [0] as a part of changes [1] that will result in deep separation of various browser components. Previously failure of setcap was not fatal, but with [2] the situation changed and now the process will crash and the sandbox initialization will fail.

[0] - https://codereview.chromium.org/1158793003
[1] - https://code.google.com/p/chromium/issues/detail?id=460972
[2] - https://codereview.chromium.org/download/issue1158793003_60001_70004.diff


SELinux is preventing /opt/chromium-browser-beta/chromium-browser-beta from using the setcap access on a process.


*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chromium-browser-beta should be allowed setcap access on processes labeled chrome_sandbox_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chromium-browse /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                 [ process ]
Source                        chromium-browse
Source Path                   /opt/chromium-browser-beta/chromium-browser-beta
Port                          <Unknown>
Host                          rhel6.4-2
Source RPM Packages           chromium-browser-beta-45.0.2454.26-1.el6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-279.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel6.4-2
Platform                      Linux rhel6.4-2 2.6.32-573.1.1.el6.x86_64 #1 SMP
                              Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64
Alert Count                   6
First Seen                    Mon 10 Aug 2015 12:13:02 PM CEST
Last Seen                     Mon 10 Aug 2015 12:29:14 PM CEST
Local ID                      c8fe0c27-7823-4003-8c62-47f6917c9dcf

Raw Audit Messages
type=AVC msg=audit(1439202554.586:15): avc:  denied  { setcap } for  pid=3296 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1439202554.586:15): arch=x86_64 syscall=capset success=no exit=EACCES a0=7ffeff9b6ca0 a1=7ffeff9b6cb0 a2=7fa262c4a2a0 a3=7fa265ad3960 items=0 ppid=3 pid=3296 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chromium-browse exe=/opt/chromium-browser-beta/chromium-browser-beta subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,setcap

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process setcap;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process setcap;
Comment 8 errata-xmlrpc 2016-05-10 20:00:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html