Description of problem: The current beta version of Chromium (self build 45.0.2454.x) fails to load anything on up to date RHEL 6 as it wants to use setcap inside its SUID sandbox (to drop capabilities on a newly forked process). The change was introduced with [0] as a part of changes [1] that will result in deep separation of various browser components. Previously failure of setcap was not fatal, but with [2] the situation changed and now the process will crash and the sandbox initialization will fail. [0] - https://codereview.chromium.org/1158793003 [1] - https://code.google.com/p/chromium/issues/detail?id=460972 [2] - https://codereview.chromium.org/download/issue1158793003_60001_70004.diff SELinux is preventing /opt/chromium-browser-beta/chromium-browser-beta from using the setcap access on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that chromium-browser-beta should be allowed setcap access on processes labeled chrome_sandbox_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chromium-browse /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Objects [ process ] Source chromium-browse Source Path /opt/chromium-browser-beta/chromium-browser-beta Port <Unknown> Host rhel6.4-2 Source RPM Packages chromium-browser-beta-45.0.2454.26-1.el6.x86_64 Target RPM Packages Policy RPM selinux-policy-3.7.19-279.el6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rhel6.4-2 Platform Linux rhel6.4-2 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64 Alert Count 6 First Seen Mon 10 Aug 2015 12:13:02 PM CEST Last Seen Mon 10 Aug 2015 12:29:14 PM CEST Local ID c8fe0c27-7823-4003-8c62-47f6917c9dcf Raw Audit Messages type=AVC msg=audit(1439202554.586:15): avc: denied { setcap } for pid=3296 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1439202554.586:15): arch=x86_64 syscall=capset success=no exit=EACCES a0=7ffeff9b6ca0 a1=7ffeff9b6cb0 a2=7fa262c4a2a0 a3=7fa265ad3960 items=0 ppid=3 pid=3296 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chromium-browse exe=/opt/chromium-browser-beta/chromium-browser-beta subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash: chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,setcap audit2allow #============= chrome_sandbox_t ============== allow chrome_sandbox_t self:process setcap; audit2allow -R #============= chrome_sandbox_t ============== allow chrome_sandbox_t self:process setcap;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0763.html