1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4
6 chrome_sandbox_selinux - Security Enhanced Linux Policy for the
7 chrome_sandbox processes
8
10 Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11 ble mandatory access control.
12
13 The chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep chrome_sandbox_t
20
21
22
24 The chrome_sandbox_t SELinux type can be entered via the chrome_sand‐
25 box_exec_t file type.
26
27 The default entrypoint paths for the chrome_sandbox_t domain are the
28 following:
29
30 /opt/google/chrome[^/]*/chrome-sandbox, /usr/lib/chromium-
31 browser/chrome-sandbox
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 chrome_sandbox policy is very flexible allowing users to setup their
41 chrome_sandbox processes in as secure a method as possible.
42
43 The following process types are defined for chrome_sandbox:
44
45 chrome_sandbox_t, chrome_sandbox_nacl_t
46
47 Note: semanage permissive -a chrome_sandbox_t can be used to make the
48 process type chrome_sandbox_t permissive. SELinux does not deny access
49 to permissive process types, but the AVC (SELinux denials) messages are
50 still generated.
51
52
54 SELinux policy is customizable based on least access required.
55 chrome_sandbox policy is extremely flexible and has several booleans
56 that allow you to manipulate the policy and run chrome_sandbox with the
57 tightest access possible.
58
59
60
61 If you want to allow all domains to execute in fips_mode, you must turn
62 on the fips_mode boolean. Enabled by default.
63
64 setsebool -P fips_mode 1
65
66
67
68 If you want to allow confined applications to use nscd shared memory,
69 you must turn on the nscd_use_shm boolean. Enabled by default.
70
71 setsebool -P nscd_use_shm 1
72
73
74
75 If you want to allow regular users direct dri device access, you must
76 turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
77
78 setsebool -P selinuxuser_direct_dri_enabled 1
79
80
81
82 If you want to allow unconfined users to transition to the chrome sand‐
83 box domains when running chrome-sandbox, you must turn on the uncon‐
84 fined_chrome_sandbox_transition boolean. Enabled by default.
85
86 setsebool -P unconfined_chrome_sandbox_transition 1
87
88
89
90 If you want to support ecryptfs home directories, you must turn on the
91 use_ecryptfs_home_dirs boolean. Disabled by default.
92
93 setsebool -P use_ecryptfs_home_dirs 1
94
95
96
97 If you want to support fusefs home directories, you must turn on the
98 use_fusefs_home_dirs boolean. Disabled by default.
99
100 setsebool -P use_fusefs_home_dirs 1
101
102
103
104 If you want to support NFS home directories, you must turn on the
105 use_nfs_home_dirs boolean. Disabled by default.
106
107 setsebool -P use_nfs_home_dirs 1
108
109
110
111 If you want to support SAMBA home directories, you must turn on the
112 use_samba_home_dirs boolean. Disabled by default.
113
114 setsebool -P use_samba_home_dirs 1
115
116
117
118 If you want to allows clients to write to the X server shared memory
119 segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
120 abled by default.
121
122 setsebool -P xserver_clients_write_xshm 1
123
124
125
127 The SELinux process type chrome_sandbox_t can manage files labeled with
128 the following file types. The paths listed are the default paths for
129 these file types. Note the processes UID still need to have DAC per‐
130 missions.
131
132 cgroup_t
133
134 /sys/fs/cgroup
135
136 chrome_sandbox_home_t
137
138 /home/[^/]+/.cache/chromium(/.*)?
139 /home/[^/]+/.cache/google-chrome(/.*)?
140 /home/[^/]+/.cache/google-chrome-unstable(/.*)?
141
142 chrome_sandbox_tmp_t
143
144
145 chrome_sandbox_tmpfs_t
146
147
148 home_cert_t
149
150 /root/.pki(/.*)?
151 /root/.cert(/.*)?
152 /home/[^/]+/.pki(/.*)?
153 /home/[^/]+/.cert(/.*)?
154 /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
155 /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
156
157 mozilla_home_t
158
159 /home/[^/]+/.lyx(/.*)?
160 /home/[^/]+/.java(/.*)?
161 /home/[^/]+/.adobe(/.*)?
162 /home/[^/]+/.gnash(/.*)?
163 /home/[^/]+/.webex(/.*)?
164 /home/[^/]+/.IBMERS(/.*)?
165 /home/[^/]+/.galeon(/.*)?
166 /home/[^/]+/.spicec(/.*)?
167 /home/[^/]+/POkemon.*(/.*)?
168 /home/[^/]+/.icedtea(/.*)?
169 /home/[^/]+/.mozilla(/.*)?
170 /home/[^/]+/.phoenix(/.*)?
171 /home/[^/]+/.netscape(/.*)?
172 /home/[^/]+/.ICAClient(/.*)?
173 /home/[^/]+/.quakelive(/.*)?
174 /home/[^/]+/.macromedia(/.*)?
175 /home/[^/]+/.thunderbird(/.*)?
176 /home/[^/]+/.gcjwebplugin(/.*)?
177 /home/[^/]+/.grl-podcasts(/.*)?
178 /home/[^/]+/.cache/mozilla(/.*)?
179 /home/[^/]+/.icedteaplugin(/.*)?
180 /home/[^/]+/zimbrauserdata(/.*)?
181 /home/[^/]+/.config/chromium(/.*)?
182 /home/[^/]+/.juniper_networks(/.*)?
183 /home/[^/]+/.cache/icedtea-web(/.*)?
184 /home/[^/]+/abc
185 /home/[^/]+/mozilla.pdf
186 /home/[^/]+/.gnashpluginrc
187
188 user_fonts_cache_t
189
190 /root/.fontconfig(/.*)?
191 /root/.fonts/auto(/.*)?
192 /root/.fonts.cache-.*
193 /home/[^/]+/.fontconfig(/.*)?
194 /home/[^/]+/.fonts/auto(/.*)?
195 /home/[^/]+/.fonts.cache-.*
196
197 user_tmp_t
198
199 /dev/shm/mono.*
200 /var/run/user(/.*)?
201 /tmp/.ICE-unix(/.*)?
202 /tmp/.X11-unix(/.*)?
203 /dev/shm/pulse-shm.*
204 /tmp/.X0-lock
205 /tmp/hsperfdata_root
206 /var/tmp/hsperfdata_root
207 /home/[^/]+/tmp
208 /home/[^/]+/.tmp
209 /tmp/gconfd-[^/]+
210
211 xserver_tmpfs_t
212
213
214
216 SELinux requires files to have an extended attribute to define the file
217 type.
218
219 You can see the context of a file using the -Z option to ls
220
221 Policy governs the access confined processes have to these files.
222 SELinux chrome_sandbox policy is very flexible allowing users to setup
223 their chrome_sandbox processes in as secure a method as possible.
224
225 STANDARD FILE CONTEXT
226
227 SELinux defines the file context types for the chrome_sandbox, if you
228 wanted to store files with these types in a diffent paths, you need to
229 execute the semanage command to sepecify alternate labeling and then
230 use restorecon to put the labels on disk.
231
232 semanage fcontext -a -t chrome_sandbox_home_t '/srv/mychrome_sand‐
233 box_content(/.*)?'
234 restorecon -R -v /srv/mychrome_sandbox_content
235
236 Note: SELinux often uses regular expressions to specify labels that
237 match multiple files.
238
239 The following file types are defined for chrome_sandbox:
240
241
242
243 chrome_sandbox_exec_t
244
245 - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
246 tion an executable to the chrome_sandbox_t domain.
247
248
249 Paths:
250 /opt/google/chrome[^/]*/chrome-sandbox, /usr/lib/chromium-
251 browser/chrome-sandbox
252
253
254 chrome_sandbox_home_t
255
256 - Set files with the chrome_sandbox_home_t type, if you want to store
257 chrome sandbox files in the users home directory.
258
259
260 Paths:
261 /home/[^/]+/.cache/chromium(/.*)?, /home/[^/]+/.cache/google-
262 chrome(/.*)?, /home/[^/]+/.cache/google-chrome-unstable(/.*)?
263
264
265 chrome_sandbox_nacl_exec_t
266
267 - Set files with the chrome_sandbox_nacl_exec_t type, if you want to
268 transition an executable to the chrome_sandbox_nacl_t domain.
269
270
271 Paths:
272 /opt/google/chrome[^/]*/nacl_helper_bootstrap,
273 /opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-
274 browser/nacl_helper_bootstrap
275
276
277 chrome_sandbox_tmp_t
278
279 - Set files with the chrome_sandbox_tmp_t type, if you want to store
280 chrome sandbox temporary files in the /tmp directories.
281
282
283
284 chrome_sandbox_tmpfs_t
285
286 - Set files with the chrome_sandbox_tmpfs_t type, if you want to store
287 chrome sandbox files on a tmpfs file system.
288
289
290
291 Note: File context can be temporarily modified with the chcon command.
292 If you want to permanently change the file context you need to use the
293 semanage fcontext command. This will modify the SELinux labeling data‐
294 base. You will need to use restorecon to apply the labels.
295
296
298 semanage fcontext can also be used to manipulate default file context
299 mappings.
300
301 semanage permissive can also be used to manipulate whether or not a
302 process type is permissive.
303
304 semanage module can also be used to enable/disable/install/remove pol‐
305 icy modules.
306
307 semanage boolean can also be used to manipulate the booleans
308
309
310 system-config-selinux is a GUI tool available to customize SELinux pol‐
311 icy settings.
312
313
315 This manual page was auto-generated using sepolicy manpage .
316
317
319 selinux(8), chrome_sandbox(8), semanage(8), restorecon(8), chcon(1),
320 sepolicy(8), setsebool(8), chrome_sandbox_nacl_selinux(8), chrome_sand‐
321 box_nacl_selinux(8)
322
323
324
325chrome_sandbox 19-10-08 chrome_sandbox_selinux(8)