SELinux/chromium

From Gentoo Wiki
Jump to: navigation, search

Structure

Domains

The chromium_t domain is used for the chromium web browser and is usable by regular users or operators.

Next to the main domain, you'll also find chromium_renderer_t. This is for the individual renderer processes within Chromium. The renderer process domain is transitioned to dynamically (chromium is SELinux-aware on this and defines the transitions itself).

File types/labels

The following table lists the file type/labels defined in the chromium module.

Type Function Description
chromium_exec_t Entrypoint Entrypoint domain for the chromium_t dmoain
chromium_tmp_t Label for temporary files, links and named pipes
chromium_tmpfs_t Label for the tmpfs-files, needed for interaction with Xorg
chromium_xdg_config_t Label for the chromium configuration (~/.config/chromium)
chromium_xdg_cache_t Label for the chromium cache (~/.cache/chromium)

Using the chromium SELinux module

By default, the chromium domain will be somewhat restricted. Few functions that you might want to enable are controlled by booleans.

SELinux boolean: chromium_read_user_content

When enabled, the chromium browser is allowed to read user content (the user home files).

The default is yes, to allow users to use chromium to browse local files.

SELinux boolean: chromium_manage_user_content

When enabled, the chromium browser is allowed to manage (modify) user content. This is also needed if the user wants to download files into a local directory.

If you want to download files but don't want to give the chromium browser these rights, use a dedicated directory and label it chromium_xdg_cache_t. From a policy development point of view, we are going to look into supporting the other XDG types for this (Download, Desktop, Documents, Music, Pictures, Videos).

The default is no.

SELinux boolean: chromium_use_java

When enabled, the chromium browser is allowed to invoke java for its java plugin support.

Due to the way java plugins are handled (and depending on the plugin used), this will result in browsers having access to their temporary directories (but only directories) as the same directory is used for the control sockets or pipes.

The default is no.

SELinux boolean: chromium_read_system_info

When enabled, the chromium browser is allowed to access various system information resources (/sys/kernel/debug, /sys/bus, /sys/devices, /proc, etc. The browser uses this to optimize its own resources (like memory management) and support for specific devices (like handling web cams, etc.)

The default is no.