Description of problem:

The current beta version of Chromium (self build 45.0.2454.x) fails to load anything on up to date RHEL 6 as it wants to use setcap inside its SUID sandbox (to drop capabilities on a newly forked process). The change was introduced with [0] as a part of changes [1] that will result in deep separation of various browser components. Previously failure of setcap was not fatal, but with [2] the situation changed and now the process will crash and the sandbox initialization will fail.

[0] - https://codereview.chromium.org/1158793003
[1] - https://code.google.com/p/chromium/issues/detail?id=460972
[2] - https://codereview.chromium.org/download/issue1158793003_60001_70004.diff


SELinux is preventing /opt/chromium-browser-beta/chromium-browser-beta from using the setcap access on a process.


*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that chromium-browser-beta should be allowed setcap access on processes labeled chrome_sandbox_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chromium-browse /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
                              0.c1023
Target Objects                 [ process ]
Source                        chromium-browse
Source Path                   /opt/chromium-browser-beta/chromium-browser-beta
Port                          <Unknown>
Host                          rhel6.4-2
Source RPM Packages           chromium-browser-beta-45.0.2454.26-1.el6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-279.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel6.4-2
Platform                      Linux rhel6.4-2 2.6.32-573.1.1.el6.x86_64 #1 SMP
                              Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64
Alert Count                   6
First Seen                    Mon 10 Aug 2015 12:13:02 PM CEST
Last Seen                     Mon 10 Aug 2015 12:29:14 PM CEST
Local ID                      c8fe0c27-7823-4003-8c62-47f6917c9dcf

Raw Audit Messages
type=AVC msg=audit(1439202554.586:15): avc:  denied  { setcap } for  pid=3296 comm="chromium-browse" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1439202554.586:15): arch=x86_64 syscall=capset success=no exit=EACCES a0=7ffeff9b6ca0 a1=7ffeff9b6cb0 a2=7fa262c4a2a0 a3=7fa265ad3960 items=0 ppid=3 pid=3296 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=chromium-browse exe=/opt/chromium-browser-beta/chromium-browser-beta subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chromium-browse,chrome_sandbox_t,chrome_sandbox_t,process,setcap

audit2allow

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process setcap;

audit2allow -R

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:process setcap;