1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4

NAME

6       chrome_sandbox_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       chrome_sandbox processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11       ble mandatory access control.
12
13       The  chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep chrome_sandbox_t
20
21
22

ENTRYPOINTS

24       The  chrome_sandbox_t  SELinux type can be entered via the chrome_sand‐
25       box_exec_t file type.
26
27       The default entrypoint paths for the chrome_sandbox_t  domain  are  the
28       following:
29
30       /opt/google/chrome[^/]*/chrome-sandbox,              /usr/lib/chromium-
31       browser/chrome-sandbox
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       chrome_sandbox policy is very flexible allowing users  to  setup  their
41       chrome_sandbox processes in as secure a method as possible.
42
43       The following process types are defined for chrome_sandbox:
44
45       chrome_sandbox_t, chrome_sandbox_nacl_t
46
47       Note:  semanage  permissive -a chrome_sandbox_t can be used to make the
48       process type chrome_sandbox_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       chrome_sandbox  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run chrome_sandbox with the
57       tightest access possible.
58
59
60
61       If you want to allow all domains to execute in fips_mode, you must turn
62       on the fips_mode boolean. Enabled by default.
63
64       setsebool -P fips_mode 1
65
66
67
68       If you want to allow confined applications to use nscd  shared  memory,
69       you must turn on the nscd_use_shm boolean. Disabled by default.
70
71       setsebool -P nscd_use_shm 1
72
73
74
75       If  you  want to allow regular users direct dri device access, you must
76       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
77
78       setsebool -P selinuxuser_direct_dri_enabled 1
79
80
81
82       If you want to allow unconfined users to transition to the chrome sand‐
83       box  domains  when  running chrome-sandbox, you must turn on the uncon‐
84       fined_chrome_sandbox_transition boolean. Enabled by default.
85
86       setsebool -P unconfined_chrome_sandbox_transition 1
87
88
89
90       If you want to support ecryptfs home directories, you must turn on  the
91       use_ecryptfs_home_dirs boolean. Disabled by default.
92
93       setsebool -P use_ecryptfs_home_dirs 1
94
95
96
97       If  you  want  to support fusefs home directories, you must turn on the
98       use_fusefs_home_dirs boolean. Disabled by default.
99
100       setsebool -P use_fusefs_home_dirs 1
101
102
103
104       If you want to support NFS home  directories,  you  must  turn  on  the
105       use_nfs_home_dirs boolean. Disabled by default.
106
107       setsebool -P use_nfs_home_dirs 1
108
109
110
111       If  you  want  to  support SAMBA home directories, you must turn on the
112       use_samba_home_dirs boolean. Disabled by default.
113
114       setsebool -P use_samba_home_dirs 1
115
116
117
118       If you want to allows clients to write to the X  server  shared  memory
119       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
120       abled by default.
121
122       setsebool -P xserver_clients_write_xshm 1
123
124
125

MANAGED FILES

127       The SELinux process type chrome_sandbox_t can manage files labeled with
128       the  following  file types.  The paths listed are the default paths for
129       these file types.  Note the processes UID still need to have  DAC  per‐
130       missions.
131
132       cgroup_t
133
134            /sys/fs/cgroup
135
136       chrome_sandbox_home_t
137
138            /home/[^/]+/.cache/chromium(/.*)?
139            /home/[^/]+/.config/chromium(/.*)?
140            /home/[^/]+/.cache/google-chrome(/.*)?
141            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
142
143       chrome_sandbox_tmp_t
144
145
146       chrome_sandbox_tmpfs_t
147
148
149       home_cert_t
150
151            /root/.pki(/.*)?
152            /root/.cert(/.*)?
153            /home/[^/]+/.pki(/.*)?
154            /home/[^/]+/.cert(/.*)?
155            /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
156            /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
157
158       mozilla_home_t
159
160            /home/[^/]+/.lyx(/.*)?
161            /home/[^/]+/.java(/.*)?
162            /home/[^/]+/.adobe(/.*)?
163            /home/[^/]+/.gnash(/.*)?
164            /home/[^/]+/.webex(/.*)?
165            /home/[^/]+/.IBMERS(/.*)?
166            /home/[^/]+/.galeon(/.*)?
167            /home/[^/]+/.spicec(/.*)?
168            /home/[^/]+/POkemon.*(/.*)?
169            /home/[^/]+/.icedtea(/.*)?
170            /home/[^/]+/.mozilla(/.*)?
171            /home/[^/]+/.phoenix(/.*)?
172            /home/[^/]+/.netscape(/.*)?
173            /home/[^/]+/.ICAClient(/.*)?
174            /home/[^/]+/.quakelive(/.*)?
175            /home/[^/]+/.macromedia(/.*)?
176            /home/[^/]+/.thunderbird(/.*)?
177            /home/[^/]+/.gcjwebplugin(/.*)?
178            /home/[^/]+/.grl-podcasts(/.*)?
179            /home/[^/]+/.cache/mozilla(/.*)?
180            /home/[^/]+/.icedteaplugin(/.*)?
181            /home/[^/]+/zimbrauserdata(/.*)?
182            /home/[^/]+/.juniper_networks(/.*)?
183            /home/[^/]+/.cache/icedtea-web(/.*)?
184            /home/[^/]+/abc
185            /home/[^/]+/mozilla.pdf
186            /home/[^/]+/.gnashpluginrc
187
188       user_fonts_cache_t
189
190            /root/.fontconfig(/.*)?
191            /root/.fonts/auto(/.*)?
192            /root/.fonts.cache-.*
193            /home/[^/]+/.fontconfig(/.*)?
194            /home/[^/]+/.fonts/auto(/.*)?
195            /home/[^/]+/.fonts.cache-.*
196
197       user_tmp_t
198
199            /dev/shm/mono.*
200            /var/run/user(/.*)?
201            /tmp/.ICE-unix(/.*)?
202            /tmp/.X11-unix(/.*)?
203            /dev/shm/pulse-shm.*
204            /tmp/.X0-lock
205            /tmp/hsperfdata_root
206            /var/tmp/hsperfdata_root
207            /home/[^/]+/tmp
208            /home/[^/]+/.tmp
209            /tmp/gconfd-[^/]+
210
211       xserver_tmpfs_t
212
213
214

FILE CONTEXTS

216       SELinux requires files to have an extended attribute to define the file
217       type.
218
219       You can see the context of a file using the -Z option to ls
220
221       Policy governs the access  confined  processes  have  to  these  files.
222       SELinux  chrome_sandbox policy is very flexible allowing users to setup
223       their chrome_sandbox processes in as secure a method as possible.
224
225       STANDARD FILE CONTEXT
226
227       SELinux defines the file context types for the chrome_sandbox,  if  you
228       wanted  to store files with these types in a diffent paths, you need to
229       execute the semanage command to sepecify alternate  labeling  and  then
230       use restorecon to put the labels on disk.
231
232       semanage  fcontext  -a  -t  chrome_sandbox_home_t  '/srv/mychrome_sand‐
233       box_content(/.*)?'
234       restorecon -R -v /srv/mychrome_sandbox_content
235
236       Note: SELinux often uses regular expressions  to  specify  labels  that
237       match multiple files.
238
239       The following file types are defined for chrome_sandbox:
240
241
242
243       chrome_sandbox_exec_t
244
245       - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
246       tion an executable to the chrome_sandbox_t domain.
247
248
249       Paths:
250            /opt/google/chrome[^/]*/chrome-sandbox,         /usr/lib/chromium-
251            browser/chrome-sandbox
252
253
254       chrome_sandbox_home_t
255
256       -  Set  files with the chrome_sandbox_home_t type, if you want to store
257       chrome sandbox files in the users home directory.
258
259
260       Paths:
261            /home/[^/]+/.cache/chromium(/.*)?,               /home/[^/]+/.con‐
262            fig/chromium(/.*)?,        /home/[^/]+/.cache/google-chrome(/.*)?,
263            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
264
265
266       chrome_sandbox_nacl_exec_t
267
268       - Set files with the chrome_sandbox_nacl_exec_t type, if  you  want  to
269       transition an executable to the chrome_sandbox_nacl_t domain.
270
271
272       Paths:
273            /opt/google/chrome[^/]*/nacl_helper_bootstrap,
274            /opt/google/chrome/nacl_helper_bootstrap,       /usr/lib/chromium-
275            browser/nacl_helper_bootstrap
276
277
278       chrome_sandbox_tmp_t
279
280       -  Set  files  with the chrome_sandbox_tmp_t type, if you want to store
281       chrome sandbox temporary files in the /tmp directories.
282
283
284
285       chrome_sandbox_tmpfs_t
286
287       - Set files with the chrome_sandbox_tmpfs_t type, if you want to  store
288       chrome sandbox files on a tmpfs file system.
289
290
291
292       Note:  File context can be temporarily modified with the chcon command.
293       If you want to permanently change the file context you need to use  the
294       semanage fcontext command.  This will modify the SELinux labeling data‐
295       base.  You will need to use restorecon to apply the labels.
296
297

COMMANDS

299       semanage fcontext can also be used to manipulate default  file  context
300       mappings.
301
302       semanage  permissive  can  also  be used to manipulate whether or not a
303       process type is permissive.
304
305       semanage module can also be used to enable/disable/install/remove  pol‐
306       icy modules.
307
308       semanage boolean can also be used to manipulate the booleans
309
310
311       system-config-selinux is a GUI tool available to customize SELinux pol‐
312       icy settings.
313
314

AUTHOR

316       This manual page was auto-generated using sepolicy manpage .
317
318

SEE ALSO

320       selinux(8), chrome_sandbox(8),  semanage(8),  restorecon(8),  chcon(1),
321       sepolicy(8), setsebool(8), chrome_sandbox_nacl_selinux(8), chrome_sand‐
322       box_nacl_selinux(8)
323
324
325
326chrome_sandbox                     19-05-30          chrome_sandbox_selinux(8)
Impressum