|Summary:||Contribute SELinux policy files for Google Chrome / Chromium upstream|
|Product:||[Fedora] Fedora||Reporter:||Evan Martin (Chromium) <evan>|
|Component:||selinux-policy||Assignee:||Miroslav Grepl <mgrepl>|
|Status:||CLOSED EOL||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||19||CC:||adam, dominick.grift, dwalsh, mgrepl, Per.t.Sjoholm, rgs|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-02-18 13:34:20 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Evan Martin (Chromium) 2011-06-02 21:21:06 UTC
In selinux-policy-*.rpm I see that the SELinux policy files have special rules for /opt/google/chrome. This means when Google releases new versions of Chrome, the policy files may be out of sync with Chromium's behavior. It would be better if the policy files were kept upstream so that they could be released in parallel with Chrome releases. These policy files could also be maintained for Chromium at the same time. Upstream is receptive to patches and would be happy to either just rubber-stamp all changes you'd like to make to policy files or collaborate with you on making sure they are correct.
Comment 1 Daniel Walsh 2011-06-06 17:56:54 UTC
We are trying to control what the chrome-sandbox is allowed to do, since it is setuid. The bug that you are seeing is caused by a file/directory being created in the homedir with the wrong label on it. In F15 we did not have policycoreutils-restorecond installed by default, which would have fixed the mislabeled directory. We can add this to a comps file to make sure it gets installed in the future. In F16 we have the ability to label these files/directories correctly on creation. I have also disabled the transition from unconfined_t to chrome_sandbox_t by default. So chrome_sandbox will continue to run as unconfined_t to block this. Confined user will still have this problem, but the fixes in F16 should mitigate it. One thing I would like to see fixed in chrome-sandbox would be to break the executable in two. One exec to setup the sandbox environment that would require all of the capabilities, and then a second exe that would actually process the content. Then we could really lock down the chrome-sandbox process.
Comment 2 Adam Goode 2011-06-07 12:24:23 UTC
Where are you upstreaming the patches currently in http://git.fedorahosted.org/git/?p=selinux-policy.git ? Does it go to the reference policy or individual upstreams? Chromium definitely wants to host this policy. We shouldn't have such large changes without upstream motion.
Comment 3 Adam Goode 2011-06-14 12:43:00 UTC
Comment 4 Daniel Walsh 2011-06-14 15:30:04 UTC
chrome policy is stored in reference policy upstream. If you want to modify it, I would suggest you send patches there.
Comment 5 Daniel Walsh 2011-06-14 15:31:11 UTC
http://oss.tresys.com/git/refpolicy.git The problems we have seen with the chrome_sandbox policy have been related to labeling not so much the actual rules.
Comment 6 Adam Goode 2011-06-15 02:12:14 UTC
Do you want me to start extracting the Chrome-specific policy from http://git.fedorahosted.org/git/?p=selinux-policy.git and send patches to refpolicy?
Comment 7 Daniel Walsh 2011-06-15 12:24:42 UTC
No sorry, I thought the policy had been upstreamed. I guess you should report any problems with chrome policy to us. Miroslav can you work to get chrome policy upstreamed.
Comment 8 Miroslav Grepl 2011-06-15 12:47:06 UTC
Ok, I will send a patch to upstream. Adam, I will add you to CC.
Comment 9 Daniel Walsh 2011-11-21 17:05:14 UTC
Comment 10 Evan Martin (Chromium) 2012-01-03 19:50:25 UTC
Since everyone else is doing it, I'll ping too. Happy new year! :)
Comment 11 Daniel Walsh 2012-01-11 22:01:49 UTC
I submitted the current Fedora policy for upstream acceptance.
Comment 12 Fedora End Of Life 2013-04-03 19:33:12 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 13 Fedora End Of Life 2015-01-09 21:49:48 UTC
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Comment 14 Fedora End Of Life 2015-02-18 13:34:20 UTC
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.