Bug 710273

Summary: Contribute SELinux policy files for Google Chrome / Chromium upstream
Product: [Fedora] Fedora Reporter: Evan Martin (Chromium) <evan>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: adam, dominick.grift, dwalsh, mgrepl, Per.t.Sjoholm, rgs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-18 13:34:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Evan Martin (Chromium) 2011-06-02 21:21:06 UTC
In selinux-policy-*.rpm I see that the SELinux policy files have special rules for /opt/google/chrome.

This means when Google releases new versions of Chrome, the policy files may be out of sync with Chromium's behavior.

It would be better if the policy files were kept upstream so that they could be released in parallel with Chrome releases.

These policy files could also be maintained for Chromium at the same time.

Upstream is receptive to patches and would be happy to either just rubber-stamp all changes you'd like to make to policy files or collaborate with you on making sure they are correct.

Comment 1 Daniel Walsh 2011-06-06 17:56:54 UTC
We are trying to control what the chrome-sandbox is allowed to do, since it is setuid.  The bug that you are seeing is caused by a file/directory being created in the homedir with the wrong label on it.  In F15 we did not have policycoreutils-restorecond installed by default, which would have fixed the mislabeled directory.  We can add this to a comps file to make sure it gets installed in the future.  In F16 we have the ability to label these files/directories correctly on creation.   I have also disabled the transition from unconfined_t to chrome_sandbox_t by default.  So chrome_sandbox will continue to run as unconfined_t to block this.

Confined user will still have this problem, but the fixes in F16 should mitigate it.

One thing I would like to see fixed in chrome-sandbox would be to break the executable in two.  One exec to setup the sandbox environment that would require all of the capabilities, and then a second exe that would actually process the content.  Then we could really lock down the chrome-sandbox process.

Comment 2 Adam Goode 2011-06-07 12:24:23 UTC
Where are you upstreaming the patches currently in http://git.fedorahosted.org/git/?p=selinux-policy.git ?

Does it go to the reference policy or individual upstreams?

Chromium definitely wants to host this policy.

We shouldn't have such large changes without upstream motion.

Comment 3 Adam Goode 2011-06-14 12:43:00 UTC

Comment 4 Daniel Walsh 2011-06-14 15:30:04 UTC
chrome policy is stored in reference policy upstream.

If you want to modify it, I would suggest you send patches there.

Comment 5 Daniel Walsh 2011-06-14 15:31:11 UTC

The problems we have seen with the chrome_sandbox policy have been related to labeling not so much the actual rules.

Comment 6 Adam Goode 2011-06-15 02:12:14 UTC
Do you want me to start extracting the Chrome-specific policy from http://git.fedorahosted.org/git/?p=selinux-policy.git and send patches to refpolicy?

Comment 7 Daniel Walsh 2011-06-15 12:24:42 UTC
No sorry, I thought the policy had been upstreamed.  I guess you should report any problems with chrome policy to us.

Miroslav can you work to get chrome policy upstreamed.

Comment 8 Miroslav Grepl 2011-06-15 12:47:06 UTC
Ok, I will send a patch to upstream. 

Adam, I will add you to CC.

Comment 9 Daniel Walsh 2011-11-21 17:05:14 UTC

Comment 10 Evan Martin (Chromium) 2012-01-03 19:50:25 UTC
Since everyone else is doing it, I'll ping too.  Happy new year!  :)

Comment 11 Daniel Walsh 2012-01-11 22:01:49 UTC
I submitted the current Fedora policy for upstream acceptance.

Comment 12 Fedora End Of Life 2013-04-03 19:33:12 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:

Comment 13 Fedora End Of Life 2015-01-09 21:49:48 UTC
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 14 Fedora End Of Life 2015-02-18 13:34:20 UTC
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.