SELinux/chromium
Structure
Domains
The chromium_t domain is used for the chromium web browser and is usable by regular users or operators.
Next to the main domain, you'll also find chromium_renderer_t. This is for the individual renderer processes within Chromium. The renderer process domain is transitioned to dynamically (chromium is SELinux-aware on this and defines the transitions itself).
File types/labels
The following table lists the file type/labels defined in the chromium module.
Type | Function | Description |
---|---|---|
chromium_exec_t | Entrypoint | Entrypoint domain for the chromium_t dmoain |
chromium_tmp_t | Label for temporary files, links and named pipes | |
chromium_tmpfs_t | Label for the tmpfs-files, needed for interaction with Xorg | |
chromium_xdg_config_t | Label for the chromium configuration (~/.config/chromium) | |
chromium_xdg_cache_t | Label for the chromium cache (~/.cache/chromium) |
Using the chromium SELinux module
By default, the chromium domain will be somewhat restricted. Few functions that you might want to enable are controlled by booleans.
SELinux boolean: chromium_read_user_content
When enabled, the chromium browser is allowed to read user content (the user home files).
The default is yes, to allow users to use chromium to browse local files.
SELinux boolean: chromium_manage_user_content
When enabled, the chromium browser is allowed to manage (modify) user content. This is also needed if the user wants to download files into a local directory.
If you want to download files but don't want to give the chromium browser these rights, use a dedicated directory and label it chromium_xdg_cache_t. From a policy development point of view, we are going to look into supporting the other XDG types for this (Download, Desktop, Documents, Music, Pictures, Videos).
The default is no.
SELinux boolean: chromium_use_java
When enabled, the chromium browser is allowed to invoke java for its java plugin support.
Due to the way java plugins are handled (and depending on the plugin used), this will result in browsers having access to their temporary directories (but only directories) as the same directory is used for the control sockets or pipes.
The default is no.
SELinux boolean: chromium_read_system_info
When enabled, the chromium browser is allowed to access various system information resources (/sys/kernel/debug, /sys/bus, /sys/devices, /proc, etc. The browser uses this to optimize its own resources (like memory management) and support for specific devices (like handling web cams, etc.)
The default is no.