Bug 1251996 - SELinux is preventing Google Chrome from using the setcap access on a process
Summary: SELinux is preventing Google Chrome from using the setcap access on a process
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
Blocks: 1254565
TreeView+ depends on / blocked
Reported: 2015-08-10 13:14 UTC by Tomas Popela
Modified: 2015-11-19 10:43 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-43.el7
Doc Type: Bug Fix
Doc Text:
Due to SELinux preventing /opt/google/chrome-beta/chrome from using the setcap access on a process, the Google Chrome process previously terminated unexpectedly and the sandbox initialization failed. This update adds the chrome_sandbox_t SELinux policy, and Google Chrome no longer crashes in the described scenario.
Clone Of:
: 1254565 (view as bug list)
Last Closed: 2015-11-19 10:43:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Tomas Popela 2015-08-10 13:14:23 UTC
Description of problem:

The current beta version of Google Chrome (45.0.2454.x from official repo) fails to load anything on up to date RHEL 7 as it wants to use setcap inside its SUID sandbox (to drop capabilities on a newly forked process). The change was introduced with [0] as a part of changes [1] that will result in deep separation of various browser components. Previously failure of setcap was not fatal, but with [2] the situation changed and now the process will crash and the sandbox initialization will fail.

[0] - https://codereview.chromium.org/1158793003
[1] - https://code.google.com/p/chromium/issues/detail?id=460972
[2] - https://codereview.chromium.org/download/issue1158793003_60001_70004.diff

SELinux is preventing /opt/google/chrome-beta/chrome from using the setcap access on a process.

*****  Plugin chrome (98.5 confidence) suggests   ****************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Chrome plugins.
# setsebool -P unconfined_chrome_sandbox_transition 0

*****  Plugin catchall (2.46 confidence) suggests   **************************

If you believe that chrome should be allowed setcap access on processes labeled chrome_sandbox_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep chrome /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
Target Context                unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c
Target Objects                Unknown [ process ]
Source                        chrome
Source Path                   /opt/google/chrome-beta/chrome
Port                          <Unknown>
Host                          rhel7.0
Source RPM Packages           google-chrome-beta-45.0.2454.26-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel7.0
Platform                      Linux rhel7.0 3.10.0-229.11.1.el7.x86_64 #1 SMP
                              Wed Jul 22 12:06:11 EDT 2015 x86_64 x86_64
Alert Count                   25
First Seen                    2015-08-10 14:09:02 CEST
Last Seen                     2015-08-10 14:11:24 CEST
Local ID                      ca4a2a28-46c8-4354-aa80-bd7dbe3d4d28

Raw Audit Messages
type=AVC msg=audit(1439208684.64:281): avc:  denied  { setcap } for  pid=17407 comm="chrome" scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=process

type=SYSCALL msg=audit(1439208684.64:281): arch=x86_64 syscall=capset success=no exit=EACCES a0=7ffe979cd938 a1=7ffe979cd920 a2=7ffe979cd920 a3=7f09b0b22270 items=0 ppid=17246 pid=17407 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm=chrome exe=/opt/google/chrome-beta/chrome subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)

Hash: chrome,chrome_sandbox_t,chrome_sandbox_t,process,setcap

Comment 2 Lukas Vrabec 2015-08-12 11:57:30 UTC
Hi Tomas, 
I suggest to move this to 7.3 in selinux-policy package, and you could create own selinux custom module, where you add all rules you needed for 7.2. How? Here is nice tutorial for that: http://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product-policy/

Then we add these rules from your module to our disto policy. 

Feel free to contact me about selinux own module. 

Thank you

Comment 3 Lukas Vrabec 2015-08-18 07:59:28 UTC
commit 4865036db550a75083d19d2d60e31f09c3613c89
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 09:57:50 2015 +0200

    Allow chrome setcap to itself.
    Resolves: #1251996

Comment 7 Deepankar De 2015-10-12 21:44:29 UTC
Here is a fix that worked for me. http://www.revragnarok.com/blog/blog/ChromeC7

Comment 8 I.Cekusins 2015-10-21 12:44:21 UTC
selinux-policy package fixes this

Comment 10 errata-xmlrpc 2015-11-19 10:43:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.