chrome_sandbox_selinux(8)

1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4

NAME

6       chrome_sandbox_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       chrome_sandbox processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11       ble mandatory access control.
12
13       The  chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep chrome_sandbox_t
20
21
22

ENTRYPOINTS

24       The  chrome_sandbox_t  SELinux type can be entered via the chrome_sand‐
25       box_exec_t file type.
26
27       The default entrypoint paths for the chrome_sandbox_t  domain  are  the
28       following:
29
30       /opt/google/chrome[^/]*/chrome-sandbox,              /usr/lib/chromium-
31       browser/chrome-sandbox
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       chrome_sandbox policy is very flexible allowing users  to  setup  their
41       chrome_sandbox processes in as secure a method as possible.
42
43       The following process types are defined for chrome_sandbox:
44
45       chrome_sandbox_t, chrome_sandbox_nacl_t
46
47       Note:  semanage  permissive -a chrome_sandbox_t can be used to make the
48       process type chrome_sandbox_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       chrome_sandbox  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run chrome_sandbox with the
57       tightest access possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67
68       If you want to allow confined applications to use nscd  shared  memory,
69       you must turn on the nscd_use_shm boolean. Disabled by default.
70
71       setsebool -P nscd_use_shm 1
72
73
74
75       If  you  want to allow regular users direct dri device access, you must
76       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
77
78       setsebool -P selinuxuser_direct_dri_enabled 1
79
80
81
82       If you want to allow unconfined users to transition to the chrome sand‐
83       box  domains  when  running chrome-sandbox, you must turn on the uncon‐
84       fined_chrome_sandbox_transition boolean. Enabled by default.
85
86       setsebool -P unconfined_chrome_sandbox_transition 1
87
88
89
90       If you want to support ecryptfs home directories, you must turn on  the
91       use_ecryptfs_home_dirs boolean. Disabled by default.
92
93       setsebool -P use_ecryptfs_home_dirs 1
94
95
96
97       If  you  want  to support fusefs home directories, you must turn on the
98       use_fusefs_home_dirs boolean. Disabled by default.
99
100       setsebool -P use_fusefs_home_dirs 1
101
102
103
104       If you want to support NFS home  directories,  you  must  turn  on  the
105       use_nfs_home_dirs boolean. Disabled by default.
106
107       setsebool -P use_nfs_home_dirs 1
108
109
110
111       If  you  want  to  support SAMBA home directories, you must turn on the
112       use_samba_home_dirs boolean. Disabled by default.
113
114       setsebool -P use_samba_home_dirs 1
115
116
117
118       If you want to allows clients to write to the X  server  shared  memory
119       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
120       abled by default.
121
122       setsebool -P xserver_clients_write_xshm 1
123
124
125

MANAGED FILES

127       The SELinux process type chrome_sandbox_t can manage files labeled with
128       the  following  file types.  The paths listed are the default paths for
129       these file types.  Note the processes UID still need to have  DAC  per‐
130       missions.
131
132       cgroup_t
133
134            /sys/fs/cgroup
135
136       chrome_sandbox_home_t
137
138            /home/[^/]+/.cache/chromium(/.*)?
139            /home/[^/]+/.config/chromium(/.*)?
140            /home/[^/]+/.cache/google-chrome(/.*)?
141            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
142
143       chrome_sandbox_tmp_t
144
145
146       chrome_sandbox_tmpfs_t
147
148
149       home_cert_t
150
151            /root/.pki(/.*)?
152            /root/.cert(/.*)?
153            /home/[^/]+/.pki(/.*)?
154            /home/[^/]+/.cert(/.*)?
155            /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
156            /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
157
158       mozilla_home_t
159
160            /home/[^/]+/.lyx(/.*)?
161            /home/[^/]+/.java(/.*)?
162            /home/[^/]+/.adobe(/.*)?
163            /home/[^/]+/.gnash(/.*)?
164            /home/[^/]+/.webex(/.*)?
165            /home/[^/]+/.IBMERS(/.*)?
166            /home/[^/]+/.galeon(/.*)?
167            /home/[^/]+/.spicec(/.*)?
168            /home/[^/]+/POkemon.*(/.*)?
169            /home/[^/]+/.icedtea(/.*)?
170            /home/[^/]+/.mozilla(/.*)?
171            /home/[^/]+/.phoenix(/.*)?
172            /home/[^/]+/.netscape(/.*)?
173            /home/[^/]+/.ICAClient(/.*)?
174            /home/[^/]+/.quakelive(/.*)?
175            /home/[^/]+/.macromedia(/.*)?
176            /home/[^/]+/.thunderbird(/.*)?
177            /home/[^/]+/.gcjwebplugin(/.*)?
178            /home/[^/]+/.grl-podcasts(/.*)?
179            /home/[^/]+/.cache/mozilla(/.*)?
180            /home/[^/]+/.icedteaplugin(/.*)?
181            /home/[^/]+/zimbrauserdata(/.*)?
182            /home/[^/]+/.juniper_networks(/.*)?
183            /home/[^/]+/.cache/icedtea-web(/.*)?
184            /home/[^/]+/abc
185            /home/[^/]+/mozilla.pdf
186            /home/[^/]+/.gnashpluginrc
187
188       user_fonts_cache_t
189
190            /root/.fontconfig(/.*)?
191            /root/.fonts/auto(/.*)?
192            /root/.fonts.cache-.*
193            /root/.cache/fontconfig(/.*)?
194            /home/[^/]+/.fontconfig(/.*)?
195            /home/[^/]+/.fonts/auto(/.*)?
196            /home/[^/]+/.fonts.cache-.*
197            /home/[^/]+/.cache/fontconfig(/.*)?
198
199       user_tmp_t
200
201            /dev/shm/mono.*
202            /var/run/user(/.*)?
203            /tmp/.ICE-unix(/.*)?
204            /tmp/.X11-unix(/.*)?
205            /dev/shm/pulse-shm.*
206            /tmp/.X0-lock
207            /tmp/hsperfdata_root
208            /var/tmp/hsperfdata_root
209            /home/[^/]+/tmp
210            /home/[^/]+/.tmp
211            /tmp/gconfd-[^/]+
212
213       xserver_tmpfs_t
214
215
216

FILE CONTEXTS

218       SELinux requires files to have an extended attribute to define the file
219       type.
220
221       You can see the context of a file using the -Z option to ls
222
223       Policy governs the access  confined  processes  have  to  these  files.
224       SELinux  chrome_sandbox policy is very flexible allowing users to setup
225       their chrome_sandbox processes in as secure a method as possible.
226
227       STANDARD FILE CONTEXT
228
229       SELinux defines the file context types for the chrome_sandbox,  if  you
230       wanted  to store files with these types in a diffent paths, you need to
231       execute the semanage command to sepecify alternate  labeling  and  then
232       use restorecon to put the labels on disk.
233
234       semanage  fcontext  -a  -t  chrome_sandbox_home_t  '/srv/mychrome_sand‐
235       box_content(/.*)?'
236       restorecon -R -v /srv/mychrome_sandbox_content
237
238       Note: SELinux often uses regular expressions  to  specify  labels  that
239       match multiple files.
240
241       The following file types are defined for chrome_sandbox:
242
243
244
245       chrome_sandbox_exec_t
246
247       - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
248       tion an executable to the chrome_sandbox_t domain.
249
250
251       Paths:
252            /opt/google/chrome[^/]*/chrome-sandbox,         /usr/lib/chromium-
253            browser/chrome-sandbox
254
255
256       chrome_sandbox_home_t
257
258       -  Set  files with the chrome_sandbox_home_t type, if you want to store
259       chrome sandbox files in the users home directory.
260
261
262       Paths:
263            /home/[^/]+/.cache/chromium(/.*)?,               /home/[^/]+/.con‐
264            fig/chromium(/.*)?,        /home/[^/]+/.cache/google-chrome(/.*)?,
265            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
266
267
268       chrome_sandbox_nacl_exec_t
269
270       - Set files with the chrome_sandbox_nacl_exec_t type, if  you  want  to
271       transition an executable to the chrome_sandbox_nacl_t domain.
272
273
274       Paths:
275            /opt/google/chrome[^/]*/nacl_helper_bootstrap,
276            /opt/google/chrome/nacl_helper_bootstrap,       /usr/lib/chromium-
277            browser/nacl_helper_bootstrap
278
279
280       chrome_sandbox_tmp_t
281
282       -  Set  files  with the chrome_sandbox_tmp_t type, if you want to store
283       chrome sandbox temporary files in the /tmp directories.
284
285
286
287       chrome_sandbox_tmpfs_t
288
289       - Set files with the chrome_sandbox_tmpfs_t type, if you want to  store
290       chrome sandbox files on a tmpfs file system.
291
292
293
294       Note:  File context can be temporarily modified with the chcon command.
295       If you want to permanently change the file context you need to use  the
296       semanage fcontext command.  This will modify the SELinux labeling data‐
297       base.  You will need to use restorecon to apply the labels.
298
299

COMMANDS

301       semanage fcontext can also be used to manipulate default  file  context
302       mappings.
303
304       semanage  permissive  can  also  be used to manipulate whether or not a
305       process type is permissive.
306
307       semanage module can also be used to enable/disable/install/remove  pol‐
308       icy modules.
309
310       semanage boolean can also be used to manipulate the booleans
311
312
313       system-config-selinux is a GUI tool available to customize SELinux pol‐
314       icy settings.
315
316

AUTHOR

318       This manual page was auto-generated using sepolicy manpage .
319
320