1chrome_sandbox_selinux(8)SELinux Policy chrome_sandboxchrome_sandbox_selinux(8)
2
3
4

NAME

6       chrome_sandbox_selinux   -  Security  Enhanced  Linux  Policy  for  the
7       chrome_sandbox processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the chrome_sandbox processes via flexi‐
11       ble mandatory access control.
12
13       The  chrome_sandbox processes execute with the chrome_sandbox_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep chrome_sandbox_t
20
21
22

ENTRYPOINTS

24       The  chrome_sandbox_t  SELinux type can be entered via the chrome_sand‐
25       box_exec_t file type.
26
27       The default entrypoint paths for the chrome_sandbox_t  domain  are  the
28       following:
29
30       /opt/google/chrome[^/]*/chrome-sandbox,              /usr/lib/chromium-
31       browser/chrome-sandbox
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       chrome_sandbox policy is very flexible allowing users  to  setup  their
41       chrome_sandbox processes in as secure a method as possible.
42
43       The following process types are defined for chrome_sandbox:
44
45       chrome_sandbox_t, chrome_sandbox_nacl_t
46
47       Note:  semanage  permissive -a chrome_sandbox_t can be used to make the
48       process type chrome_sandbox_t permissive. SELinux does not deny  access
49       to permissive process types, but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       chrome_sandbox  policy  is  extremely flexible and has several booleans
56       that allow you to manipulate the policy and run chrome_sandbox with the
57       tightest access possible.
58
59
60
61       If  you  want to allow confined applications to use nscd shared memory,
62       you must turn on the nscd_use_shm boolean. Enabled by default.
63
64       setsebool -P nscd_use_shm 1
65
66
67
68       If you want to allow regular users direct dri device access,  you  must
69       turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default.
70
71       setsebool -P selinuxuser_direct_dri_enabled 1
72
73
74
75       If you want to allow unconfined users to transition to the chrome sand‐
76       box domains when running chrome-sandbox, you must turn  on  the  uncon‐
77       fined_chrome_sandbox_transition boolean. Enabled by default.
78
79       setsebool -P unconfined_chrome_sandbox_transition 1
80
81
82
83       If  you want to support ecryptfs home directories, you must turn on the
84       use_ecryptfs_home_dirs boolean. Disabled by default.
85
86       setsebool -P use_ecryptfs_home_dirs 1
87
88
89
90       If you want to support fusefs home directories, you must  turn  on  the
91       use_fusefs_home_dirs boolean. Disabled by default.
92
93       setsebool -P use_fusefs_home_dirs 1
94
95
96
97       If  you  want  to  support  NFS  home directories, you must turn on the
98       use_nfs_home_dirs boolean. Disabled by default.
99
100       setsebool -P use_nfs_home_dirs 1
101
102
103
104       If you want to support SAMBA home directories, you  must  turn  on  the
105       use_samba_home_dirs boolean. Disabled by default.
106
107       setsebool -P use_samba_home_dirs 1
108
109
110
111       If  you  want  to allows clients to write to the X server shared memory
112       segments, you must turn on the xserver_clients_write_xshm boolean. Dis‐
113       abled by default.
114
115       setsebool -P xserver_clients_write_xshm 1
116
117
118

MANAGED FILES

120       The SELinux process type chrome_sandbox_t can manage files labeled with
121       the following file types.  The paths listed are the default  paths  for
122       these  file  types.  Note the processes UID still need to have DAC per‐
123       missions.
124
125       cgroup_t
126
127            /sys/fs/cgroup
128
129       chrome_sandbox_home_t
130
131            /home/[^/]+/.cache/chromium(/.*)?
132            /home/[^/]+/.config/chromium(/.*)?
133            /home/[^/]+/.cache/google-chrome(/.*)?
134            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
135
136       chrome_sandbox_tmp_t
137
138
139       chrome_sandbox_tmpfs_t
140
141
142       home_cert_t
143
144            /root/.pki(/.*)?
145            /root/.cert(/.*)?
146            /home/[^/]+/.pki(/.*)?
147            /home/[^/]+/.cert(/.*)?
148            /home/[^/]+/.local/share/networkmanagement/certificates(/.*)?
149            /home/[^/]+/.kde/share/apps/networkmanagement/certificates(/.*)?
150
151       mozilla_home_t
152
153            /home/[^/]+/.lyx(/.*)?
154            /home/[^/]+/.java(/.*)?
155            /home/[^/]+/.adobe(/.*)?
156            /home/[^/]+/.gnash(/.*)?
157            /home/[^/]+/.webex(/.*)?
158            /home/[^/]+/.IBMERS(/.*)?
159            /home/[^/]+/.galeon(/.*)?
160            /home/[^/]+/.spicec(/.*)?
161            /home/[^/]+/POkemon.*(/.*)?
162            /home/[^/]+/.icedtea(/.*)?
163            /home/[^/]+/.mozilla(/.*)?
164            /home/[^/]+/.phoenix(/.*)?
165            /home/[^/]+/.netscape(/.*)?
166            /home/[^/]+/.ICAClient(/.*)?
167            /home/[^/]+/.quakelive(/.*)?
168            /home/[^/]+/.macromedia(/.*)?
169            /home/[^/]+/.thunderbird(/.*)?
170            /home/[^/]+/.gcjwebplugin(/.*)?
171            /home/[^/]+/.grl-podcasts(/.*)?
172            /home/[^/]+/.cache/mozilla(/.*)?
173            /home/[^/]+/.icedteaplugin(/.*)?
174            /home/[^/]+/zimbrauserdata(/.*)?
175            /home/[^/]+/.juniper_networks(/.*)?
176            /home/[^/]+/.cache/icedtea-web(/.*)?
177            /home/[^/]+/abc
178            /home/[^/]+/mozilla.pdf
179            /home/[^/]+/.gnashpluginrc
180
181       user_fonts_cache_t
182
183            /root/.fontconfig(/.*)?
184            /root/.fonts/auto(/.*)?
185            /root/.fonts.cache-.*
186            /root/.cache/fontconfig(/.*)?
187            /home/[^/]+/.fontconfig(/.*)?
188            /home/[^/]+/.fonts/auto(/.*)?
189            /home/[^/]+/.fonts.cache-.*
190            /home/[^/]+/.cache/fontconfig(/.*)?
191
192

FILE CONTEXTS

194       SELinux requires files to have an extended attribute to define the file
195       type.
196
197       You can see the context of a file using the -Z option to ls
198
199       Policy  governs  the  access  confined  processes  have to these files.
200       SELinux chrome_sandbox policy is very flexible allowing users to  setup
201       their chrome_sandbox processes in as secure a method as possible.
202
203       STANDARD FILE CONTEXT
204
205       SELinux  defines  the file context types for the chrome_sandbox, if you
206       wanted to store files with these types in a different paths,  you  need
207       to  execute the semanage command to specify alternate labeling and then
208       use restorecon to put the labels on disk.
209
210       semanage fcontext -a -t chrome_sandbox_exec_t '/srv/chrome_sandbox/con‐
211       tent(/.*)?'
212       restorecon -R -v /srv/mychrome_sandbox_content
213
214       Note:  SELinux  often  uses  regular expressions to specify labels that
215       match multiple files.
216
217       The following file types are defined for chrome_sandbox:
218
219
220
221       chrome_sandbox_exec_t
222
223       - Set files with the chrome_sandbox_exec_t type, if you want to transi‐
224       tion an executable to the chrome_sandbox_t domain.
225
226
227       Paths:
228            /opt/google/chrome[^/]*/chrome-sandbox,         /usr/lib/chromium-
229            browser/chrome-sandbox
230
231
232       chrome_sandbox_home_t
233
234       - Set files with the chrome_sandbox_home_t type, if you want  to  store
235       chrome sandbox files in the users home directory.
236
237
238       Paths:
239            /home/[^/]+/.cache/chromium(/.*)?,               /home/[^/]+/.con‐
240            fig/chromium(/.*)?,        /home/[^/]+/.cache/google-chrome(/.*)?,
241            /home/[^/]+/.cache/google-chrome-unstable(/.*)?
242
243
244       chrome_sandbox_nacl_exec_t
245
246       -  Set  files  with the chrome_sandbox_nacl_exec_t type, if you want to
247       transition an executable to the chrome_sandbox_nacl_t domain.
248
249
250       Paths:
251            /opt/google/chrome[^/]*/nacl_helper_bootstrap,
252            /opt/google/chrome/nacl_helper_bootstrap,       /usr/lib/chromium-
253            browser/nacl_helper_bootstrap
254
255
256       chrome_sandbox_tmp_t
257
258       - Set files with the chrome_sandbox_tmp_t type, if you  want  to  store
259       chrome sandbox temporary files in the /tmp directories.
260
261
262
263       chrome_sandbox_tmpfs_t
264
265       -  Set files with the chrome_sandbox_tmpfs_t type, if you want to store
266       chrome sandbox files on a tmpfs file system.
267
268
269
270       Note: File context can be temporarily modified with the chcon  command.
271       If  you want to permanently change the file context you need to use the
272       semanage fcontext command.  This will modify the SELinux labeling data‐
273       base.  You will need to use restorecon to apply the labels.
274
275

COMMANDS

277       semanage  fcontext  can also be used to manipulate default file context
278       mappings.
279
280       semanage permissive can also be used to manipulate  whether  or  not  a
281       process type is permissive.
282
283       semanage  module can also be used to enable/disable/install/remove pol‐
284       icy modules.
285
286       semanage boolean can also be used to manipulate the booleans
287
288
289       system-config-selinux is a GUI tool available to customize SELinux pol‐
290       icy settings.
291
292

AUTHOR

294       This manual page was auto-generated using sepolicy manpage .
295
296

SEE ALSO

298       selinux(8),  chrome_sandbox(8),  semanage(8),  restorecon(8), chcon(1),
299       sepolicy(8), setsebool(8), chrome_sandbox_nacl_selinux(8), chrome_sand‐
300       box_nacl_selinux(8)
301
302
303
304chrome_sandbox                     23-10-20          chrome_sandbox_selinux(8)
Impressum