1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4
6 chrome_sandbox_selinux - Security Enhanced Linux Policy for the
7 chrome_sandbox processes
8
10 Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11 ble mandatory access control.
12
13 The chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep chrome_sandbox_t
20
21
22
24 The chrome_sandbox_t SELinux type can be entered via the chrome_sand‐
25 box_exec_t file type.
26
27 The default entrypoint paths for the chrome_sandbox_t domain are the
28 following:
29
30 /usr/lib(64)?/chromium-browser/chrome-sandbox,
31 /opt/google/chrome/chrome-sandbox
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 chrome_sandbox policy is very flexible allowing users to setup their
41 chrome_sandbox processes in as secure a method as possible.
42
43 The following process types are defined for chrome_sandbox:
44
45 chrome_sandbox_t, chrome_sandbox_nacl_t
46
47 Note: semanage permissive -a chrome_sandbox_t can be used to make the
48 process type chrome_sandbox_t permissive. SELinux does not deny access
49 to permissive process types, but the AVC (SELinux denials) messages are
50 still generated.
51
52
54 SELinux policy is customizable based on least access required.
55 chrome_sandbox policy is extremely flexible and has several booleans
56 that allow you to manipulate the policy and run chrome_sandbox with the
57 tightest access possible.
58
59
60
61 If you want to allow all domains to use other domains file descriptors,
62 you must turn on the allow_domain_fd_use boolean. Enabled by default.
63
64 setsebool -P allow_domain_fd_use 1
65
66
67
68 If you want to allow sysadm to debug or ptrace all processes, you must
69 turn on the allow_ptrace boolean. Disabled by default.
70
71 setsebool -P allow_ptrace 1
72
73
74
75 If you want to allows clients to write to the X server shared memory
76 segments, you must turn on the allow_write_xshm boolean. Disabled by
77 default.
78
79 setsebool -P allow_write_xshm 1
80
81
82
83 If you want to allow all domains to have the kernel load modules, you
84 must turn on the domain_kernel_load_modules boolean. Disabled by
85 default.
86
87 setsebool -P domain_kernel_load_modules 1
88
89
90
91 If you want to allow all domains to execute in fips_mode, you must turn
92 on the fips_mode boolean. Enabled by default.
93
94 setsebool -P fips_mode 1
95
96
97
98 If you want to enable reading of urandom for all domains, you must turn
99 on the global_ssp boolean. Disabled by default.
100
101 setsebool -P global_ssp 1
102
103
104
105 If you want to support fusefs home directories, you must turn on the
106 use_fusefs_home_dirs boolean. Disabled by default.
107
108 setsebool -P use_fusefs_home_dirs 1
109
110
111
112 If you want to support NFS home directories, you must turn on the
113 use_nfs_home_dirs boolean. Disabled by default.
114
115 setsebool -P use_nfs_home_dirs 1
116
117
118
119 If you want to support SAMBA home directories, you must turn on the
120 use_samba_home_dirs boolean. Disabled by default.
121
122 setsebool -P use_samba_home_dirs 1
123
124
125
126 If you want to support X userspace object manager, you must turn on the
127 xserver_object_manager boolean. Disabled by default.
128
129 setsebool -P xserver_object_manager 1
130
131
132
134 The SELinux process type chrome_sandbox_t can manage files labeled with
135 the following file types. The paths listed are the default paths for
136 these file types. Note the processes UID still need to have DAC per‐
137 missions.
138
139 cgroup_t
140
141 /cgroup(/.*)?
142
143 chrome_sandbox_tmp_t
144
145
146 chrome_sandbox_tmpfs_t
147
148
149 cifs_t
150
151
152 initrc_tmp_t
153
154
155 mnt_t
156
157 /mnt(/[^/]*)
158 /mnt(/[^/]*)?
159 /rhev(/[^/]*)?
160 /media(/[^/]*)
161 /media(/[^/]*)?
162 /etc/rhgb(/.*)?
163 /media/.hal-.*
164 /net
165 /afs
166 /rhev
167 /misc
168
169 nfs_t
170
171
172 tmp_t
173
174 /tmp
175 /usr/tmp
176 /var/tmp
177 /tmp-inst
178 /var/tmp-inst
179 /var/tmp/vi.recover
180
181 user_fonts_cache_t
182
183 /home/[^/]*/.fonts/auto(/.*)?
184 /home/[^/]*/.fontconfig(/.*)?
185 /home/[^/]*/.fonts.cache-.*
186 /home/staff/.fonts/auto(/.*)?
187 /home/staff/.fontconfig(/.*)?
188 /home/staff/.fonts.cache-.*
189
190 user_tmpfs_t
191
192 /dev/shm/mono.*
193 /dev/shm/pulse-shm.*
194
195 xserver_tmpfs_t
196
197
198
200 SELinux requires files to have an extended attribute to define the file
201 type.
202
203 You can see the context of a file using the -Z option to ls
204
205 Policy governs the access confined processes have to these files.
206 SELinux chrome_sandbox policy is very flexible allowing users to setup
207 their chrome_sandbox processes in as secure a method as possible.
208
209 STANDARD FILE CONTEXT
210
211 SELinux defines the file context types for the chrome_sandbox, if you
212 wanted to store files with these types in a diffent paths, you need to
213 execute the semanage command to sepecify alternate labeling and then
214 use restorecon to put the labels on disk.
215
216 semanage fcontext -a -t chrome_sandbox_tmpfs_t '/srv/mychrome_sand‐
217 box_content(/.*)?'
218 restorecon -R -v /srv/mychrome_sandbox_content
219
220 Note: SELinux often uses regular expressions to specify labels that
221 match multiple files.
222
223 The following file types are defined for chrome_sandbox:
224
225
226
227 chrome_sandbox_exec_t
228
229 - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
230 tion an executable to the chrome_sandbox_t domain.
231
232
233 Paths:
234 /usr/lib(64)?/chromium-browser/chrome-sandbox,
235 /opt/google/chrome/chrome-sandbox
236
237
238 chrome_sandbox_nacl_exec_t
239
240 - Set files with the chrome_sandbox_nacl_exec_t type, if you want to
241 transition an executable to the chrome_sandbox_nacl_t domain.
242
243
244 Paths:
245 /opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-
246 browser/nacl_helper_bootstrap
247
248
249 chrome_sandbox_tmp_t
250
251 - Set files with the chrome_sandbox_tmp_t type, if you want to store
252 chrome sandbox temporary files in the /tmp directories.
253
254
255
256 chrome_sandbox_tmpfs_t
257
258 - Set files with the chrome_sandbox_tmpfs_t type, if you want to store
259 chrome sandbox files on a tmpfs file system.
260
261
262
263 Note: File context can be temporarily modified with the chcon command.
264 If you want to permanently change the file context you need to use the
265 semanage fcontext command. This will modify the SELinux labeling data‐
266 base. You will need to use restorecon to apply the labels.
267
268
270 semanage fcontext can also be used to manipulate default file context
271 mappings.
272
273 semanage permissive can also be used to manipulate whether or not a
274 process type is permissive.
275
276 semanage module can also be used to enable/disable/install/remove pol‐
277 icy modules.
278
279 semanage boolean can also be used to manipulate the booleans
280
281
282 system-config-selinux is a GUI tool available to customize SELinux pol‐
283 icy settings.
284
285
287 This manual page was auto-generated using sepolicy manpage .
288
289
291 selinux(8), chrome_sandbox(8), semanage(8), restorecon(8), chcon(1) ,
292 setsebool(8), chrome_sandbox_nacl_selinux(8), chrome_sand‐
293 box_nacl_selinux(8)
294
295
296
297chrome_sandbox 15-06-03 chrome_sandbox_selinux(8)