1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4

NAME

6       chrome_sandbox_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       chrome_sandbox processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11       ble mandatory access control.
12
13       The  chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep chrome_sandbox_t
20
21
22

ENTRYPOINTS

24       The  chrome_sandbox_t  SELinux type can be entered via the chrome_sand‐
25       box_exec_t file type.
26
27       The default entrypoint paths for the chrome_sandbox_t  domain  are  the
28       following:
29
30       /opt/google/chrome[^/]*/chrome-sandbox,              /usr/lib/chromium-
31       browser/chrome-sandbox
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       chrome_sandbox policy is very flexible allowing users  to  setup  their
41       chrome_sandbox processes in as secure a method as possible.
42
43       The following process types are defined for chrome_sandbox:
44
45       chrome_sandbox_t, chrome_sandbox_nacl_t
46
47       Note:  semanage  permissive -a chrome_sandbox_t can be used to make the
48       process type chrome_sandbox_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       chrome_sandbox  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run chrome_sandbox with the
57       tightest access possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67
68       If you want to allow confined applications to use nscd  shared  memory,
69       you must turn on the nscd_use_shm boolean. Disabled by default.
70
71       setsebool -P nscd_use_shm 1
72
73
74
75       If  you  want to allow regular users direct dri device access, you must
76       turn  on  the  selinuxuser_direct_dri_enabled  boolean.   Disabled   by
77       default.
78
79       setsebool -P selinuxuser_direct_dri_enabled 1
80
81
82
83       If you want to allow unconfined users to transition to the chrome sand‐
84       box domains when running chrome-sandbox, you must turn  on  the  uncon‐
85       fined_chrome_sandbox_transition boolean. Disabled by default.
86
87       setsebool -P unconfined_chrome_sandbox_transition 1
88
89
90
91       If  you want to support ecryptfs home directories, you must turn on the
92       use_ecryptfs_home_dirs boolean. Disabled by default.
93
94       setsebool -P use_ecryptfs_home_dirs 1
95
96
97
98       If you want to support fusefs home directories, you must  turn  on  the
99       use_fusefs_home_dirs boolean. Disabled by default.
100
101       setsebool -P use_fusefs_home_dirs 1
102
103
104
105       If  you  want  to  support  NFS  home directories, you must turn on the
106       use_nfs_home_dirs boolean. Enabled by default.
107
108       setsebool -P use_nfs_home_dirs 1
109
110
111
112       If you want to support SAMBA home directories, you  must  turn  on  the
113       use_samba_home_dirs boolean. Disabled by default.
114
115       setsebool -P use_samba_home_dirs 1
116
117
118
119       If  you  want  to allows clients to write to the X server shared memory
120       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
121       abled by default.
122
123       setsebool -P xserver_clients_write_xshm 1
124
125
126

MANAGED FILES

128       The SELinux process type chrome_sandbox_t can manage files labeled with
129       the following file types.  The paths listed are the default  paths  for
130       these  file  types.  Note the processes UID still need to have DAC per‐
131       missions.
132
133       cgroup_t
134
135            /sys/fs/cgroup
136
137       chrome_sandbox_home_t
138
139            /home/[^/]+/.cache/chromium(/.*)?
140            /home/[^/]+/.config/chromium(/.*)?
141            /home/[^/]+/.cache/google-chrome(/.*)?
142            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
143
144       chrome_sandbox_tmp_t
145
146
147       chrome_sandbox_tmpfs_t
148
149
150       home_cert_t
151
152            /root/.pki(/.*)?
153            /root/.cert(/.*)?
154            /home/[^/]+/.pki(/.*)?
155            /home/[^/]+/.cert(/.*)?
156            /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
157            /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
158
159       mozilla_home_t
160
161            /home/[^/]+/.lyx(/.*)?
162            /home/[^/]+/.java(/.*)?
163            /home/[^/]+/.adobe(/.*)?
164            /home/[^/]+/.gnash(/.*)?
165            /home/[^/]+/.webex(/.*)?
166            /home/[^/]+/.IBMERS(/.*)?
167            /home/[^/]+/.galeon(/.*)?
168            /home/[^/]+/.spicec(/.*)?
169            /home/[^/]+/POkemon.*(/.*)?
170            /home/[^/]+/.icedtea(/.*)?
171            /home/[^/]+/.mozilla(/.*)?
172            /home/[^/]+/.phoenix(/.*)?
173            /home/[^/]+/.netscape(/.*)?
174            /home/[^/]+/.ICAClient(/.*)?
175            /home/[^/]+/.quakelive(/.*)?
176            /home/[^/]+/.macromedia(/.*)?
177            /home/[^/]+/.thunderbird(/.*)?
178            /home/[^/]+/.gcjwebplugin(/.*)?
179            /home/[^/]+/.grl-podcasts(/.*)?
180            /home/[^/]+/.cache/mozilla(/.*)?
181            /home/[^/]+/.icedteaplugin(/.*)?
182            /home/[^/]+/zimbrauserdata(/.*)?
183            /home/[^/]+/.juniper_networks(/.*)?
184            /home/[^/]+/.cache/icedtea-web(/.*)?
185            /home/[^/]+/abc
186            /home/[^/]+/mozilla.pdf
187            /home/[^/]+/.gnashpluginrc
188
189       user_fonts_cache_t
190
191            /root/.fontconfig(/.*)?
192            /root/.fonts/auto(/.*)?
193            /root/.fonts.cache-.*
194            /root/.cache/fontconfig(/.*)?
195            /home/[^/]+/.fontconfig(/.*)?
196            /home/[^/]+/.fonts/auto(/.*)?
197            /home/[^/]+/.fonts.cache-.*
198            /home/[^/]+/.cache/fontconfig(/.*)?
199
200       user_tmp_t
201
202            /dev/shm/mono.*
203            /var/run/user(/.*)?
204            /tmp/.ICE-unix(/.*)?
205            /tmp/.X11-unix(/.*)?
206            /dev/shm/pulse-shm.*
207            /tmp/.X0-lock
208            /tmp/hsperfdata_root
209            /var/tmp/hsperfdata_root
210            /home/[^/]+/tmp
211            /home/[^/]+/.tmp
212            /tmp/gconfd-[^/]+
213
214       xserver_tmpfs_t
215
216
217

FILE CONTEXTS

219       SELinux requires files to have an extended attribute to define the file
220       type.
221
222       You can see the context of a file using the -Z option to ls
223
224       Policy  governs  the  access  confined  processes  have to these files.
225       SELinux chrome_sandbox policy is very flexible allowing users to  setup
226       their chrome_sandbox processes in as secure a method as possible.
227
228       STANDARD FILE CONTEXT
229
230       SELinux  defines  the file context types for the chrome_sandbox, if you
231       wanted to store files with these types in a diffent paths, you need  to
232       execute  the  semanage  command to sepecify alternate labeling and then
233       use restorecon to put the labels on disk.
234
235       semanage  fcontext  -a  -t  chrome_sandbox_home_t  '/srv/mychrome_sand‐
236       box_content(/.*)?'
237       restorecon -R -v /srv/mychrome_sandbox_content
238
239       Note:  SELinux  often  uses  regular expressions to specify labels that
240       match multiple files.
241
242       The following file types are defined for chrome_sandbox:
243
244
245
246       chrome_sandbox_exec_t
247
248       - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
249       tion an executable to the chrome_sandbox_t domain.
250
251
252       Paths:
253            /opt/google/chrome[^/]*/chrome-sandbox,         /usr/lib/chromium-
254            browser/chrome-sandbox
255
256
257       chrome_sandbox_home_t
258
259       - Set files with the chrome_sandbox_home_t type, if you want  to  store
260       chrome sandbox files in the users home directory.
261
262
263       Paths:
264            /home/[^/]+/.cache/chromium(/.*)?,               /home/[^/]+/.con‐
265            fig/chromium(/.*)?,        /home/[^/]+/.cache/google-chrome(/.*)?,
266            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
267
268
269       chrome_sandbox_nacl_exec_t
270
271       -  Set  files  with the chrome_sandbox_nacl_exec_t type, if you want to
272       transition an executable to the chrome_sandbox_nacl_t domain.
273
274
275       Paths:
276            /opt/google/chrome[^/]*/nacl_helper_bootstrap,
277            /opt/google/chrome/nacl_helper_bootstrap,       /usr/lib/chromium-
278            browser/nacl_helper_bootstrap
279
280
281       chrome_sandbox_tmp_t
282
283       - Set files with the chrome_sandbox_tmp_t type, if you  want  to  store
284       chrome sandbox temporary files in the /tmp directories.
285
286
287
288       chrome_sandbox_tmpfs_t
289
290       -  Set files with the chrome_sandbox_tmpfs_t type, if you want to store
291       chrome sandbox files on a tmpfs file system.
292
293
294
295       Note: File context can be temporarily modified with the chcon  command.
296       If  you want to permanently change the file context you need to use the
297       semanage fcontext command.  This will modify the SELinux labeling data‐
298       base.  You will need to use restorecon to apply the labels.
299
300

COMMANDS

302       semanage  fcontext  can also be used to manipulate default file context
303       mappings.
304
305       semanage permissive can also be used to manipulate  whether  or  not  a
306       process type is permissive.
307
308       semanage  module can also be used to enable/disable/install/remove pol‐
309       icy modules.
310
311       semanage boolean can also be used to manipulate the booleans
312
313
314       system-config-selinux is a GUI tool available to customize SELinux pol‐
315       icy settings.
316
317

AUTHOR

319       This manual page was auto-generated using sepolicy manpage .
320
321

SEE ALSO

323       selinux(8),  chrome_sandbox(8),  semanage(8),  restorecon(8), chcon(1),
324       sepolicy(8), setsebool(8), chrome_sandbox_nacl_selinux(8), chrome_sand‐
325       box_nacl_selinux(8)
326
327
328
329chrome_sandbox                     19-12-02          chrome_sandbox_selinux(8)
Impressum