Bug 1251996

Summary: SELinux is preventing Google Chrome from using the setcap access on a process
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Popela <tpopela>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.1CC: bgollahe, clintonminton, imantc, jsvarova, lvrabec, mgrepl, mmalik, mymailbox.de, plautrba, pvrabec, ralston, ssekidde
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-43.el7 Doc Type: Bug Fix
Doc Text:
Due to SELinux preventing /opt/google/chrome-beta/chrome from using the setcap access on a process, the Google Chrome process previously terminated unexpectedly and the sandbox initialization failed. This update adds the chrome_sandbox_t SELinux policy, and Google Chrome no longer crashes in the described scenario.
 Story Points: ---
Clone Of:
: 1254565 (view as bug list) Environment:
Last Closed: 2015-11-19 10:43:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1254565    

Description Tomas Popela 2015-08-10 13:14:23 UTC 
Description of problem:

The current beta version of Google Chrome (45.0.2454.x from official repo) fails to load anything on up to date RHEL 7 as it wants to use setcap inside its SUID sandbox (to drop capabilities on a newly forked process). The change was introduced with [0] as a part of changes [1] that will result in deep separation of various browser components. Previously failure of setcap was not fatal, but with [2] the situation changed and now the process will crash and the sandbox initialization will fail.

[0] - https://codereview.chromium.org/1158793003
[1] - https://code.google.com/p/chromium/issues/detail?id=460972
[2] - https://codereview.chromium.org/download/issue1158793003_60001_70004.diff

SELinux is preventing /opt/google/chrome-beta/chrome from using the setcap access on a process.

*****  Plugin chrome (98.5 confidence) suggests   ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
Do
# setsebool -P unconfined_chrome_sandbox_transition 0

*****  Plugin catchall (2.46 confidence) suggests   **************************

If you believe that chrome should be allowed setcap access on processes labeled chrome_sandbox_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                Unknown [ process ]
Source                        chrome
Source Path                   /opt/google/chrome-beta/chrome
Port                          <Unknown>
Host                          rhel7.0
Source RPM Packages           google-chrome-beta-45.0.2454.26-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel7.0
Platform                      Linux rhel7.0 3.10.0-229.11.1.el7.x86_64 #1 SMP
                              Wed Jul 22 12:06:11 EDT 2015 x86_64 x86_64
Alert Count                   25
First Seen                    2015-08-10 14:09:02 CEST
Last Seen                     2015-08-10 14:11:24 CEST
Local ID                      ca4a2a28-46c8-4354-aa80-bd7dbe3d4d28

Raw Audit Messages
type=AVC msg=audit(1439208684.64:281): avc:  denied  { setcap } for  pid=17407 comm="chrome" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1439208684.64:281): arch=x86_64 syscall=capset success=no exit=EACCES a0=7ffe979cd938 a1=7ffe979cd920 a2=7ffe979cd920 a3=7f09b0b22270 items=0 ppid=17246 pid=17407 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm=chrome exe=/opt/google/chrome-beta/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,chrome_sandbox_t,process,setcap
Comment 2 Lukas Vrabec 2015-08-12 11:57:30 UTC 
Hi Tomas, 
I suggest to move this to 7.3 in selinux-policy package, and you could create own selinux custom module, where you add all rules you needed for 7.2. How? Here is nice tutorial for that: http://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product-policy/

Then we add these rules from your module to our disto policy. 

Feel free to contact me about selinux own module. 

Thank you
Comment 3 Lukas Vrabec 2015-08-18 07:59:28 UTC 
commit 4865036db550a75083d19d2d60e31f09c3613c89
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 09:57:50 2015 +0200

    Allow chrome setcap to itself.
    Resolves: #1251996
Comment 7 Deepankar De 2015-10-12 21:44:29 UTC 
Here is a fix that worked for me. http://www.revragnarok.com/blog/blog/ChromeC7
Comment 8 I.Cekusins 2015-10-21 12:44:21 UTC 
selinux-policy package fixes this
Comment 10 errata-xmlrpc 2015-11-19 10:43:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html