1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4

NAME

6       chrome_sandbox_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       chrome_sandbox processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11       ble mandatory access control.
12
13       The  chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep chrome_sandbox_t
20
21
22

ENTRYPOINTS

24       The  chrome_sandbox_t  SELinux type can be entered via the chrome_sand‐
25       box_exec_t file type.
26
27       The default entrypoint paths for the chrome_sandbox_t  domain  are  the
28       following:
29
30       /opt/google/chrome[^/]*/chrome-sandbox,              /usr/lib/chromium-
31       browser/chrome-sandbox
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       chrome_sandbox policy is very flexible allowing users  to  setup  their
41       chrome_sandbox processes in as secure a method as possible.
42
43       The following process types are defined for chrome_sandbox:
44
45       chrome_sandbox_t, chrome_sandbox_nacl_t
46
47       Note:  semanage  permissive -a chrome_sandbox_t can be used to make the
48       process type chrome_sandbox_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       chrome_sandbox  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run chrome_sandbox with the
57       tightest access possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67
68       If you want to allow confined applications to use nscd  shared  memory,
69       you must turn on the nscd_use_shm boolean. Enabled by default.
70
71       setsebool -P nscd_use_shm 1
72
73
74
75       If  you  want to allow regular users direct dri device access, you must
76       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
77
78       setsebool -P selinuxuser_direct_dri_enabled 1
79
80
81
82       If you want to allow unconfined users to transition to the chrome sand‐
83       box  domains  when  running chrome-sandbox, you must turn on the uncon‐
84       fined_chrome_sandbox_transition boolean. Enabled by default.
85
86       setsebool -P unconfined_chrome_sandbox_transition 1
87
88
89
90       If you want to support ecryptfs home directories, you must turn on  the
91       use_ecryptfs_home_dirs boolean. Disabled by default.
92
93       setsebool -P use_ecryptfs_home_dirs 1
94
95
96
97       If  you  want  to support fusefs home directories, you must turn on the
98       use_fusefs_home_dirs boolean. Disabled by default.
99
100       setsebool -P use_fusefs_home_dirs 1
101
102
103
104       If you want to support NFS home  directories,  you  must  turn  on  the
105       use_nfs_home_dirs boolean. Disabled by default.
106
107       setsebool -P use_nfs_home_dirs 1
108
109
110
111       If  you  want  to  support SAMBA home directories, you must turn on the
112       use_samba_home_dirs boolean. Disabled by default.
113
114       setsebool -P use_samba_home_dirs 1
115
116
117
118       If you want to allows clients to write to the X  server  shared  memory
119       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
120       abled by default.
121
122       setsebool -P xserver_clients_write_xshm 1
123
124
125

MANAGED FILES

127       The SELinux process type chrome_sandbox_t can manage files labeled with
128       the  following  file types.  The paths listed are the default paths for
129       these file types.  Note the processes UID still need to have  DAC  per‐
130       missions.
131
132       cgroup_t
133
134            /sys/fs/cgroup
135
136       chrome_sandbox_home_t
137
138            /home/[^/]+/.cache/chromium(/.*)?
139            /home/[^/]+/.cache/google-chrome(/.*)?
140            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
141
142       chrome_sandbox_tmp_t
143
144
145       chrome_sandbox_tmpfs_t
146
147
148       home_cert_t
149
150            /root/.pki(/.*)?
151            /root/.cert(/.*)?
152            /home/[^/]+/.pki(/.*)?
153            /home/[^/]+/.cert(/.*)?
154            /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
155            /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
156
157       mozilla_home_t
158
159            /home/[^/]+/.lyx(/.*)?
160            /home/[^/]+/.java(/.*)?
161            /home/[^/]+/.adobe(/.*)?
162            /home/[^/]+/.gnash(/.*)?
163            /home/[^/]+/.webex(/.*)?
164            /home/[^/]+/.IBMERS(/.*)?
165            /home/[^/]+/.galeon(/.*)?
166            /home/[^/]+/.spicec(/.*)?
167            /home/[^/]+/POkemon.*(/.*)?
168            /home/[^/]+/.icedtea(/.*)?
169            /home/[^/]+/.mozilla(/.*)?
170            /home/[^/]+/.phoenix(/.*)?
171            /home/[^/]+/.netscape(/.*)?
172            /home/[^/]+/.ICAClient(/.*)?
173            /home/[^/]+/.quakelive(/.*)?
174            /home/[^/]+/.macromedia(/.*)?
175            /home/[^/]+/.thunderbird(/.*)?
176            /home/[^/]+/.gcjwebplugin(/.*)?
177            /home/[^/]+/.grl-podcasts(/.*)?
178            /home/[^/]+/.cache/mozilla(/.*)?
179            /home/[^/]+/.icedteaplugin(/.*)?
180            /home/[^/]+/zimbrauserdata(/.*)?
181            /home/[^/]+/.config/chromium(/.*)?
182            /home/[^/]+/.juniper_networks(/.*)?
183            /home/[^/]+/.cache/icedtea-web(/.*)?
184            /home/[^/]+/abc
185            /home/[^/]+/mozilla.pdf
186            /home/[^/]+/.gnashpluginrc
187
188       user_fonts_cache_t
189
190            /root/.fontconfig(/.*)?
191            /root/.fonts/auto(/.*)?
192            /root/.fonts.cache-.*
193            /home/[^/]+/.fontconfig(/.*)?
194            /home/[^/]+/.fonts/auto(/.*)?
195            /home/[^/]+/.fonts.cache-.*
196
197       user_tmp_t
198
199            /dev/shm/mono.*
200            /var/run/user(/.*)?
201            /tmp/.ICE-unix(/.*)?
202            /tmp/.X11-unix(/.*)?
203            /dev/shm/pulse-shm.*
204            /tmp/.X0-lock
205            /tmp/hsperfdata_root
206            /var/tmp/hsperfdata_root
207            /home/[^/]+/tmp
208            /home/[^/]+/.tmp
209            /tmp/gconfd-[^/]+
210
211       xserver_tmpfs_t
212
213
214

FILE CONTEXTS

216       SELinux requires files to have an extended attribute to define the file
217       type.
218
219       You can see the context of a file using the -Z option to ls
220
221       Policy governs the access  confined  processes  have  to  these  files.
222       SELinux  chrome_sandbox policy is very flexible allowing users to setup
223       their chrome_sandbox processes in as secure a method as possible.
224
225       STANDARD FILE CONTEXT
226
227       SELinux defines the file context types for the chrome_sandbox,  if  you
228       wanted  to store files with these types in a diffent paths, you need to
229       execute the semanage command to sepecify alternate  labeling  and  then
230       use restorecon to put the labels on disk.
231
232       semanage  fcontext  -a  -t  chrome_sandbox_home_t  '/srv/mychrome_sand‐
233       box_content(/.*)?'
234       restorecon -R -v /srv/mychrome_sandbox_content
235
236       Note: SELinux often uses regular expressions  to  specify  labels  that
237       match multiple files.
238
239       The following file types are defined for chrome_sandbox:
240
241
242
243       chrome_sandbox_exec_t
244
245       - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
246       tion an executable to the chrome_sandbox_t domain.
247
248
249       Paths:
250            /opt/google/chrome[^/]*/chrome-sandbox,         /usr/lib/chromium-
251            browser/chrome-sandbox
252
253
254       chrome_sandbox_home_t
255
256       -  Set  files with the chrome_sandbox_home_t type, if you want to store
257       chrome sandbox files in the users home directory.
258
259
260       Paths:
261            /home/[^/]+/.cache/chromium(/.*)?,      /home/[^/]+/.cache/google-
262            chrome(/.*)?, /home/[^/]+/.cache/google-chrome-unstable(/.*)?
263
264
265       chrome_sandbox_nacl_exec_t
266
267       -  Set  files  with the chrome_sandbox_nacl_exec_t type, if you want to
268       transition an executable to the chrome_sandbox_nacl_t domain.
269
270
271       Paths:
272            /opt/google/chrome[^/]*/nacl_helper_bootstrap,
273            /opt/google/chrome/nacl_helper_bootstrap,       /usr/lib/chromium-
274            browser/nacl_helper_bootstrap
275
276
277       chrome_sandbox_tmp_t
278
279       - Set files with the chrome_sandbox_tmp_t type, if you  want  to  store
280       chrome sandbox temporary files in the /tmp directories.
281
282
283
284       chrome_sandbox_tmpfs_t
285
286       -  Set files with the chrome_sandbox_tmpfs_t type, if you want to store
287       chrome sandbox files on a tmpfs file system.
288
289
290
291       Note: File context can be temporarily modified with the chcon  command.
292       If  you want to permanently change the file context you need to use the
293       semanage fcontext command.  This will modify the SELinux labeling data‐
294       base.  You will need to use restorecon to apply the labels.
295
296

COMMANDS

298       semanage  fcontext  can also be used to manipulate default file context
299       mappings.
300
301       semanage permissive can also be used to manipulate  whether  or  not  a
302       process type is permissive.
303
304       semanage  module can also be used to enable/disable/install/remove pol‐
305       icy modules.
306
307       semanage boolean can also be used to manipulate the booleans
308
309
310       system-config-selinux is a GUI tool available to customize SELinux pol‐
311       icy settings.
312
313

AUTHOR

315       This manual page was auto-generated using sepolicy manpage .
316
317

SEE ALSO

319       selinux(8),  chrome_sandbox(8),  semanage(8),  restorecon(8), chcon(1),
320       sepolicy(8), setsebool(8), chrome_sandbox_nacl_selinux(8), chrome_sand‐
321       box_nacl_selinux(8)
322
323
324
325chrome_sandbox                     19-10-08          chrome_sandbox_selinux(8)