Bug 1251991 - SELinux is preventing Chromium from using the setcap access on a process
Summary: SELinux is preventing Chromium from using the setcap access on a process
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.8
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 6.8
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1258392
TreeView+ depends on / blocked
 
Reported: 2015-08-10 13:11 UTC by Tomas Popela
Modified: 2016-05-10 20:00 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1258392 (view as bug list)
Environment:
Last Closed: 2016-05-10 20:00:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0763 0 normal SHIPPED_LIVE selinux-policy bug fix update 2016-05-10 22:33:46 UTC

Description Tomas Popela 2015-08-10 13:11:18 UTC
Description of problem:

The current beta version of Chromium (self build 45.0.2454.x) fails to load anything on up to date RHEL 6 as it wants to use setcap inside its SUID sandbox (to drop capabilities on a newly forked process). The change was introduced with [0] as a part of changes [1] that will result in deep separation of various browser components. Previously failure of setcap was not fatal, but with [2] the situation changed and now the process will crash and the sandbox initialization will fail.

[0] - https://codereview.chromium.org/1158793003
[1] - https://code.google.com/p/chromium/issues/detail?id=460972
[2] - https://codereview.chromium.org/download/issue1158793003_60001_70004.diff


SELinux is preventing /opt/chromium-browser-beta/chromium-browser-beta from using the setcap access on a process.


*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chromium-browser-beta should be allowed setcap access on processes labeled chrome_sandbox_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chromium-browse /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                 [ process ]
Source                        chromium-browse
Source Path                   /opt/chromium-browser-beta/chromium-browser-beta
Port                          <Unknown>
Host                          rhel6.4-2
Source RPM Packages           chromium-browser-beta-45.0.2454.26-1.el6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-279.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel6.4-2
Platform                      Linux rhel6.4-2 2.6.32-573.1.1.el6.x86_64 #1 SMP
                              Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64
Alert Count                   6
First Seen                    Mon 10 Aug 2015 12:13:02 PM CEST
Last Seen                     Mon 10 Aug 2015 12:29:14 PM CEST
Local ID                      c8fe0c27-7823-4003-8c62-47f6917c9dcf

Raw Audit Messages
type=AVC msg=audit(1439202554.586:15): avc:  denied  { setcap } for  pid=3296 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1439202554.586:15): arch=x86_64 syscall=capset success=no exit=EACCES a0=7ffeff9b6ca0 a1=7ffeff9b6cb0 a2=7fa262c4a2a0 a3=7fa265ad3960 items=0 ppid=3 pid=3296 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chromium-browse exe=/opt/chromium-browser-beta/chromium-browser-beta subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,setcap

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process setcap;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process setcap;

Comment 8 errata-xmlrpc 2016-05-10 20:00:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html


Note You need to log in before you can comment on or make changes to this bug.