Bug 2218087

Summary: chromium/chrome runs as unconfined, not as chrome_sandbox_t
Product: [Fedora] Fedora Reporter: Wes Turner <wes.turner>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: ManyUsersImpacted, Question, Security, SELinux
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wes Turner 2023-06-28 06:31:04 UTC
It appears that chromium-browser/chrome is running as an unconfined process; with no SELinux?

$ dnf install chromium; type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined

- https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.fc
- https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.te
- https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.if
- https://www.google.com/search?q=site%3Abugzilla.redhat.com+chromium+selinux-policy
- https://www.mankier.com/8/chrome_sandbox_selinux chrome_sandbox_exec_t (fc18-?)
- https://github.com/SeleniumHQ/docker-selenium/issues/631#issuecomment-351232105
- https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json (docker,) seccomp profile for chrome
  - https://github.com/jessfraz/dotfiles/pull/49/files
- https://github.com/SeleniumHQ/docker-selenium/blob/trunk/NodeChrome/wrap_chrome_binary#L25 --no-sandbox
  - ( https://github.com/SeleniumHQ/docker-selenium/blob/trunk/docker-compose-v3-basicauth.yml )
- https://bugs.chromium.org/p/chromium/issues/detail?id=477925 --disable-namespace-sandbox
- https://src.chromium.org/viewvc/chrome?revision=26257&view=revision (2009; first SELinux support in chrome fwics)
- https://src.chromium.org/viewvc/chrome?revision=200838&view=revision (2013; removed SELinux support per https://groups.google.com/a/chromium.org/g/chromium-dev/c/YpU7t2XaGRg/m/V9-diQZQQDwJ?pli=1 )
- https://bugs.chromium.org/p/chromium/issues/list?q=selinux%20OS=linux&can=1&sort=-modified
- https://bugs.chromium.org/p/chromium/issues/detail?id=477329#c21 :
  IIRC, oom_score_adj was relevant to why chrome wouldn't work with selinux years ago; but IDK if this is still the reason?
  
- https://bugs.chromium.org/p/chromium/issues/detail?id=312380#c96 :
  > deploy_chrome: drop setuid bit on chrome sandbox (2018)
  >
  > We shouldn't need this anymore with CL:1112815 which disables Chrome's
use of the suid sandbox for OOM adjustments.

- https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandboxing.md#selinux
- chrome://sandbox indicates which sandboxing features are enabled

- https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md
- https://stopdisablingselinux.com/

Am I just not understanding why chromium/chrome doesn't need to run as a labeled confined process because it has a namespace sandbox?

Reproducible: Always

Steps to Reproduce:
1. type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined
2. System Monitor > Processes > Right Click headings > Select [Security Context]
3. Ctrl-F "chrom" 
4. Security Context: Unconfined


Expected Results:  
Chrome should run with special namespaces *and* SELinux process context, at least

Comment 1 Wes Turner 2023-06-28 06:31:58 UTC
Do I need to `chcon` after installing?

Comment 2 Wes Turner 2023-06-28 06:34:57 UTC
(I sent a support request to Google over 60 days ago on this)

More complete command to verify that chromium-browser is running as an unconfined process (probably with namespaces):

$ dnf install -y chromium; type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined

Are these the current chromium docs for SELinux w/ Chromium (on Fedora, RedHat, ChromiumOS (where there's no `ls -alZ`),):
- https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandboxing.md#selinux

Comment 3 Nikola Knazekova 2023-06-30 11:09:12 UTC
Thank you Wes, we will look at it