Posts for the month of September 2015

Chrome on CentOS 7

So my Google Chrome on my CentOS 7 box updated, and SELinux doesn't like it.

There's an official bug for it - https://bugzilla.redhat.com/show_bug.cgi?id=1251996 - but I don't know when that will propagate down.

Until then, here's what I did, with some plaintext showing what was happening:

$ sudo grep chrome /var/log/audit/audit.log | grep setcap | audit2allow
#============= chrome_sandbox_t ==============

#!!!! This avc is allowed in the current policy
allow chrome_sandbox_t self:process setcap;

$ sudo grep chrome /var/log/audit/audit.log | grep setcap |
audit2allow -M chrome.pol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i chrome.pol.pp

$ cat chrome.pol.te

module chrome.pol 1.0;

require {
        type chrome_sandbox_t;
        class process setcap;
}

#============= chrome_sandbox_t ==============

#!!!! This avc is allowed in the current policy
allow chrome_sandbox_t self:process setcap;

$ sudo semodule -i chrome.pol.pp