Bug 412637

Summary:	SELinux policy for www-client/chromium
Product:	Gentoo Linux	Reporter:	Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component:	Hardened	Assignee:	Sven Vermeulen (RETIRED) <swift>
Status:	VERIFIED FIXED
Severity:	enhancement	CC:	chromium, h.v.bruinehsen, selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	sec-policy r1
Package list:		Runtime testing required:	---
Attachments:	chromium_browser.te chromium_browser.fc chromium_browser.te chromium_browser.te chromium-browser.te chromium-browser.fc

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-04-19 13:38:15 UTC

Created attachment 309509 [details]
chromium_browser.te

I'm submitting my draft of SELinux policy for www-client/chromium (.te and .fc files).

Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-04-19 13:38:34 UTC

Created attachment 309511 [details]
chromium_browser.fc

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-05-08 10:10:03 UTC

Created attachment 311157 [details]
chromium_browser.te

Updated chromium-browser.te, now uses more interfaces. Requires >=selinux-base-policy-2.20120215-r7

Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-05-08 12:47:54 UTC

Created attachment 311175 [details]
chromium_browser.te

Updated chromium-browser.te to tighten the tmp files policy.

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-05-14 14:52:30 UTC

Created attachment 311757 [details]
chromium-browser.te

Now confines chromium_t.

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-05-14 14:52:53 UTC

Created attachment 311759 [details]
chromium-browser.fc

Comment 6 Paul de Vrieze (RETIRED) gentoo-dev

2012-07-03 09:20:22 UTC

Can this bug either be fixed, or chromium modified. Otherwise it is impossible to use chromium in conjunction with selinux.

Comment 7 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-03 18:25:56 UTC

Well, the domain_dyntrans_type is still a thorn in the eye and there is a domain_auto_trans that shouldn't be there (if you want unconfined to call chromium_exec_t, there should be a chromium_run() interface for unconfined roles).

It might be good to push the policies to refpolicy mailinglist as well for a good review. We're trying to stick close to it (and also backport the changes made there) and since this one contains quite a few "weird" things I'm not certain it is fine to just load it in.

Comment 8 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-22 08:59:02 UTC

Will be part of rev 16

Comment 9 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-28 09:27:02 UTC

Is in the 2.20120725-r1, now in hardened-dev overlay

Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-07-31 11:56:20 UTC

(In reply to comment #7)
> It might be good to push the policies to refpolicy mailinglist as well for a
> good review. We're trying to stick close to it (and also backport the
> changes made there) and since this one contains quite a few "weird" things
> I'm not certain it is fine to just load it in.

Agreed, it's a good idea. If you want me to do that, please let me know.

By the way, I noticed some people are using SELinux+chromium here (e.g. pauldv). Please also send feedback to me, even if it's just "just works" or "broken" (more details are welcome, but sometime people are short on time).

Thanks Sven for your work on this bug!

Comment 11 Sven Vermeulen (RETIRED) gentoo-dev

2012-09-22 11:33:41 UTC

In main tree, ~arch'ed (rev 5)

Comment 12 Sven Vermeulen (RETIRED) gentoo-dev

2012-10-04 18:37:19 UTC

stabilized