Bug 1251996
Summary: | SELinux is preventing Google Chrome from using the setcap access on a process | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Popela <tpopela> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | high | |||
Version: | 7.1 | CC: | bgollahe, clintonminton, imantc, jsvarova, lvrabec, mgrepl, mmalik, mymailbox.de, plautrba, pvrabec, ralston, ssekidde | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-43.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Due to SELinux preventing /opt/google/chrome-beta/chrome from using the setcap access on a process, the Google Chrome process previously terminated unexpectedly and the sandbox initialization failed. This update adds the chrome_sandbox_t SELinux policy, and Google Chrome no longer crashes in the described scenario.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1254565 (view as bug list) | Environment: | ||
Last Closed: | 2015-11-19 10:43:17 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1254565 |
Description
Tomas Popela
2015-08-10 13:14:23 UTC
Hi Tomas, I suggest to move this to 7.3 in selinux-policy package, and you could create own selinux custom module, where you add all rules you needed for 7.2. How? Here is nice tutorial for that: http://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product-policy/ Then we add these rules from your module to our disto policy. Feel free to contact me about selinux own module. Thank you commit 4865036db550a75083d19d2d60e31f09c3613c89 Author: Lukas Vrabec <lvrabec> Date: Tue Aug 18 09:57:50 2015 +0200 Allow chrome setcap to itself. Resolves: #1251996 Here is a fix that worked for me. http://www.revragnarok.com/blog/blog/ChromeC7 selinux-policy package fixes this Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |