chrome_sandbox_selinux(8)

1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4

NAME

6       chrome_sandbox_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       chrome_sandbox processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11       ble mandatory access control.
12
13       The  chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep chrome_sandbox_t
20
21
22

ENTRYPOINTS

24       The  chrome_sandbox_t  SELinux type can be entered via the chrome_sand‐
25       box_exec_t file type.
26
27       The default entrypoint paths for the chrome_sandbox_t  domain  are  the
28       following:
29
30       /opt/google/chrome[^/]*/chrome-sandbox,              /usr/lib/chromium-
31       browser/chrome-sandbox
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       chrome_sandbox policy is very flexible allowing users  to  setup  their
41       chrome_sandbox processes in as secure a method as possible.
42
43       The following process types are defined for chrome_sandbox:
44
45       chrome_sandbox_t, chrome_sandbox_nacl_t
46
47       Note:  semanage  permissive -a chrome_sandbox_t can be used to make the
48       process type chrome_sandbox_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       chrome_sandbox  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run chrome_sandbox with the
57       tightest access possible.
58
59
60
61       If  you  want  to deny any process from ptracing or debugging any other
62       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
63       default.
64
65       setsebool -P deny_ptrace 1
66
67
68
69       If  you  want  to  allow  any  process  to mmap any file on system with
70       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
71       ean. Enabled by default.
72
73       setsebool -P domain_can_mmap_files 1
74
75
76
77       If  you want to allow all domains write to kmsg_device, while kernel is
78       executed with systemd.log_target=kmsg parameter, you must turn  on  the
79       domain_can_write_kmsg boolean. Disabled by default.
80
81       setsebool -P domain_can_write_kmsg 1
82
83
84
85       If you want to allow all domains to use other domains file descriptors,
86       you must turn on the domain_fd_use boolean. Enabled by default.
87
88       setsebool -P domain_fd_use 1
89
90
91
92       If you want to allow all domains to have the kernel load  modules,  you
93       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
94       default.
95
96       setsebool -P domain_kernel_load_modules 1
97
98
99
100       If you want to allow all domains to execute in fips_mode, you must turn
101       on the fips_mode boolean. Enabled by default.
102
103       setsebool -P fips_mode 1
104
105
106
107       If you want to enable reading of urandom for all domains, you must turn
108       on the global_ssp boolean. Disabled by default.
109
110       setsebool -P global_ssp 1
111
112
113
114       If you want to allow confined applications to use nscd  shared  memory,
115       you must turn on the nscd_use_shm boolean. Disabled by default.
116
117       setsebool -P nscd_use_shm 1
118
119
120
121       If  you  want to allow regular users direct dri device access, you must
122       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
123
124       setsebool -P selinuxuser_direct_dri_enabled 1
125
126
127
128       If you want to allow unconfined users to transition to the chrome sand‐
129       box  domains  when  running chrome-sandbox, you must turn on the uncon‐
130       fined_chrome_sandbox_transition boolean. Enabled by default.
131
132       setsebool -P unconfined_chrome_sandbox_transition 1
133
134
135
136       If you want to support ecryptfs home directories, you must turn on  the
137       use_ecryptfs_home_dirs boolean. Disabled by default.
138
139       setsebool -P use_ecryptfs_home_dirs 1
140
141
142
143       If  you  want  to support fusefs home directories, you must turn on the
144       use_fusefs_home_dirs boolean. Disabled by default.
145
146       setsebool -P use_fusefs_home_dirs 1
147
148
149
150       If you want to support NFS home  directories,  you  must  turn  on  the
151       use_nfs_home_dirs boolean. Disabled by default.
152
153       setsebool -P use_nfs_home_dirs 1
154
155
156
157       If  you  want  to  support SAMBA home directories, you must turn on the
158       use_samba_home_dirs boolean. Disabled by default.
159
160       setsebool -P use_samba_home_dirs 1
161
162
163
164       If you want to allows clients to write to the X  server  shared  memory
165       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
166       abled by default.
167
168       setsebool -P xserver_clients_write_xshm 1
169
170
171
172       If you want to support X userspace object manager, you must turn on the
173       xserver_object_manager boolean. Enabled by default.
174
175       setsebool -P xserver_object_manager 1
176
177
178

MANAGED FILES

180       The SELinux process type chrome_sandbox_t can manage files labeled with
181       the following file types.  The paths listed are the default  paths  for
182       these  file  types.  Note the processes UID still need to have DAC per‐
183       missions.
184
185       cgroup_t
186
187            /sys/fs/cgroup
188
189       chrome_sandbox_home_t
190
191            /home/[^/]+/.cache/chromium(/.*)?
192            /home/[^/]+/.cache/google-chrome(/.*)?
193            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
194
195       chrome_sandbox_tmp_t
196
197
198       chrome_sandbox_tmpfs_t
199
200
201       home_cert_t
202
203            /root/.pki(/.*)?
204            /root/.cert(/.*)?
205            /home/[^/]+/.pki(/.*)?
206            /home/[^/]+/.cert(/.*)?
207            /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
208            /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
209
210       mozilla_home_t
211
212            /home/[^/]+/.lyx(/.*)?
213            /home/[^/]+/.java(/.*)?
214            /home/[^/]+/.adobe(/.*)?
215            /home/[^/]+/.gnash(/.*)?
216            /home/[^/]+/.webex(/.*)?
217            /home/[^/]+/.galeon(/.*)?
218            /home/[^/]+/.spicec(/.*)?
219            /home/[^/]+/.IBMERS(/.*)?
220            /home/[^/]+/POkemon.*(/.*)?
221            /home/[^/]+/.mozilla(/.*)?
222            /home/[^/]+/.phoenix(/.*)?
223            /home/[^/]+/.icedtea(/.*)?
224            /home/[^/]+/.netscape(/.*)?
225            /home/[^/]+/.quakelive(/.*)?
226            /home/[^/]+/.ICAClient(/.*)?
227            /home/[^/]+/.macromedia(/.*)?
228            /home/[^/]+/.thunderbird(/.*)?
229            /home/[^/]+/.gcjwebplugin(/.*)?
230            /home/[^/]+/.grl-podcasts(/.*)?
231            /home/[^/]+/.cache/mozilla(/.*)?
232            /home/[^/]+/.icedteaplugin(/.*)?
233            /home/[^/]+/zimbrauserdata(/.*)?
234            /home/[^/]+/.config/chromium(/.*)?
235            /home/[^/]+/.juniper_networks(/.*)?
236            /home/[^/]+/.cache/icedtea-web(/.*)?
237            /home/[^/]+/abc
238            /home/[^/]+/mozilla.pdf
239            /home/[^/]+/.gnashpluginrc
240
241       user_fonts_cache_t
242
243            /root/.fontconfig(/.*)?
244            /root/.fonts/auto(/.*)?
245            /root/.fonts.cache-.*
246            /home/[^/]+/.fontconfig(/.*)?
247            /home/[^/]+/.fonts/auto(/.*)?
248            /home/[^/]+/.fonts.cache-.*
249
250       user_tmp_t
251
252            /dev/shm/mono.*
253            /var/run/user(/.*)?
254            /tmp/.X11-unix(/.*)?
255            /tmp/.ICE-unix(/.*)?
256            /dev/shm/pulse-shm.*
257            /tmp/.X0-lock
258            /tmp/hsperfdata_root
259            /var/tmp/hsperfdata_root
260            /home/[^/]+/tmp
261            /home/[^/]+/.tmp
262            /tmp/gconfd-[^/]+
263
264       xserver_tmpfs_t
265
266
267

FILE CONTEXTS

269       SELinux requires files to have an extended attribute to define the file
270       type.
271
272       You can see the context of a file using the -Z option to ls
273
274       Policy  governs  the  access  confined  processes  have to these files.
275       SELinux chrome_sandbox policy is very flexible allowing users to  setup
276       their chrome_sandbox processes in as secure a method as possible.
277
278       STANDARD FILE CONTEXT
279
280       SELinux  defines  the file context types for the chrome_sandbox, if you
281       wanted to store files with these types in a diffent paths, you need  to
282       execute  the  semanage  command to sepecify alternate labeling and then
283       use restorecon to put the labels on disk.
284
285       semanage fcontext  -a  -t  chrome_sandbox_tmpfs_t  '/srv/mychrome_sand‐
286       box_content(/.*)?'
287       restorecon -R -v /srv/mychrome_sandbox_content
288
289       Note:  SELinux  often  uses  regular expressions to specify labels that
290       match multiple files.
291
292       The following file types are defined for chrome_sandbox:
293
294
295
296       chrome_sandbox_exec_t
297
298       - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
299       tion an executable to the chrome_sandbox_t domain.
300
301
302       Paths:
303            /opt/google/chrome[^/]*/chrome-sandbox,         /usr/lib/chromium-
304            browser/chrome-sandbox
305
306
307       chrome_sandbox_home_t
308
309       - Set files with the chrome_sandbox_home_t type, if you want  to  store
310       chrome sandbox files in the users home directory.
311
312
313       Paths:
314            /home/[^/]+/.cache/chromium(/.*)?,      /home/[^/]+/.cache/google-
315            chrome(/.*)?, /home/[^/]+/.cache/google-chrome-unstable(/.*)?
316
317
318       chrome_sandbox_nacl_exec_t
319
320       - Set files with the chrome_sandbox_nacl_exec_t type, if  you  want  to
321       transition an executable to the chrome_sandbox_nacl_t domain.
322
323
324       Paths:
325            /opt/google/chrome[^/]*/nacl_helper_bootstrap,
326            /opt/google/chrome/nacl_helper_bootstrap,       /usr/lib/chromium-
327            browser/nacl_helper_bootstrap
328
329
330       chrome_sandbox_tmp_t
331
332       -  Set  files  with the chrome_sandbox_tmp_t type, if you want to store
333       chrome sandbox temporary files in the /tmp directories.
334
335
336
337       chrome_sandbox_tmpfs_t
338
339       - Set files with the chrome_sandbox_tmpfs_t type, if you want to  store
340       chrome sandbox files on a tmpfs file system.
341
342
343
344       Note:  File context can be temporarily modified with the chcon command.
345       If you want to permanently change the file context you need to use  the
346       semanage fcontext command.  This will modify the SELinux labeling data‐
347       base.  You will need to use restorecon to apply the labels.
348
349

COMMANDS

351       semanage fcontext can also be used to manipulate default  file  context
352       mappings.
353
354       semanage  permissive  can  also  be used to manipulate whether or not a
355       process type is permissive.
356
357       semanage module can also be used to enable/disable/install/remove  pol‐
358       icy modules.
359
360       semanage boolean can also be used to manipulate the booleans
361
362
363       system-config-selinux is a GUI tool available to customize SELinux pol‐
364       icy settings.
365
366

AUTHOR

368       This manual page was auto-generated using sepolicy manpage .
369
370