It appears that chromium-browser/chrome is running as an unconfined process; with no SELinux? $ dnf install chromium; type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined - https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.fc - https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.te - https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.if - https://www.google.com/search?q=site%3Abugzilla.redhat.com+chromium+selinux-policy - https://www.mankier.com/8/chrome_sandbox_selinux chrome_sandbox_exec_t (fc18-?) - https://github.com/SeleniumHQ/docker-selenium/issues/631#issuecomment-351232105 - https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json (docker,) seccomp profile for chrome - https://github.com/jessfraz/dotfiles/pull/49/files - https://github.com/SeleniumHQ/docker-selenium/blob/trunk/NodeChrome/wrap_chrome_binary#L25 --no-sandbox - ( https://github.com/SeleniumHQ/docker-selenium/blob/trunk/docker-compose-v3-basicauth.yml ) - https://bugs.chromium.org/p/chromium/issues/detail?id=477925 --disable-namespace-sandbox - https://src.chromium.org/viewvc/chrome?revision=26257&view=revision (2009; first SELinux support in chrome fwics) - https://src.chromium.org/viewvc/chrome?revision=200838&view=revision (2013; removed SELinux support per https://groups.google.com/a/chromium.org/g/chromium-dev/c/YpU7t2XaGRg/m/V9-diQZQQDwJ?pli=1 ) - https://bugs.chromium.org/p/chromium/issues/list?q=selinux%20OS=linux&can=1&sort=-modified - https://bugs.chromium.org/p/chromium/issues/detail?id=477329#c21 : IIRC, oom_score_adj was relevant to why chrome wouldn't work with selinux years ago; but IDK if this is still the reason? - https://bugs.chromium.org/p/chromium/issues/detail?id=312380#c96 : > deploy_chrome: drop setuid bit on chrome sandbox (2018) > > We shouldn't need this anymore with CL:1112815 which disables Chrome's use of the suid sandbox for OOM adjustments. - https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandboxing.md#selinux - chrome://sandbox indicates which sandboxing features are enabled - https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md - https://stopdisablingselinux.com/ Am I just not understanding why chromium/chrome doesn't need to run as a labeled confined process because it has a namespace sandbox? Reproducible: Always Steps to Reproduce: 1. type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined 2. System Monitor > Processes > Right Click headings > Select [Security Context] 3. Ctrl-F "chrom" 4. Security Context: Unconfined Expected Results: Chrome should run with special namespaces *and* SELinux process context, at least
Do I need to `chcon` after installing?
(I sent a support request to Google over 60 days ago on this) More complete command to verify that chromium-browser is running as an unconfined process (probably with namespaces): $ dnf install -y chromium; type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined Are these the current chromium docs for SELinux w/ Chromium (on Fedora, RedHat, ChromiumOS (where there's no `ls -alZ`),): - https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandboxing.md#selinux
Thank you Wes, we will look at it