It appears that chromium-browser/chrome is running as an unconfined process; with no SELinux? $ dnf install chromium; type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined - https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.fc - https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.te - https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/chrome.if - https://www.google.com/search?q=site%3Abugzilla.redhat.com+chromium+selinux-policy - https://www.mankier.com/8/chrome_sandbox_selinux chrome_sandbox_exec_t (fc18-?) - https://github.com/SeleniumHQ/docker-selenium/issues/631#issuecomment-351232105 - https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json (docker,) seccomp profile for chrome - https://github.com/jessfraz/dotfiles/pull/49/files - https://github.com/SeleniumHQ/docker-selenium/blob/trunk/NodeChrome/wrap_chrome_binary#L25 --no-sandbox - ( https://github.com/SeleniumHQ/docker-selenium/blob/trunk/docker-compose-v3-basicauth.yml ) - https://bugs.chromium.org/p/chromium/issues/detail?id=477925 --disable-namespace-sandbox - https://src.chromium.org/viewvc/chrome?revision=26257&view=revision (2009; first SELinux support in chrome fwics) - https://src.chromium.org/viewvc/chrome?revision=200838&view=revision (2013; removed SELinux support per https://groups.google.com/a/chromium.org/g/chromium-dev/c/YpU7t2XaGRg/m/V9-diQZQQDwJ?pli=1 ) - https://bugs.chromium.org/p/chromium/issues/list?q=selinux%20OS=linux&can=1&sort=-modified - https://bugs.chromium.org/p/chromium/issues/detail?id=477329#c21 : IIRC, oom_score_adj was relevant to why chrome wouldn't work with selinux years ago; but IDK if this is still the reason? - https://bugs.chromium.org/p/chromium/issues/detail?id=312380#c96 : > deploy_chrome: drop setuid bit on chrome sandbox (2018) > > We shouldn't need this anymore with CL:1112815 which disables Chrome's use of the suid sandbox for OOM adjustments. - https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandboxing.md#selinux - chrome://sandbox indicates which sandboxing features are enabled - https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md - https://stopdisablingselinux.com/ Am I just not understanding why chromium/chrome doesn't need to run as a labeled confined process because it has a namespace sandbox? Reproducible: Always Steps to Reproduce: 1. type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined 2. System Monitor > Processes > Right Click headings > Select [Security Context] 3. Ctrl-F "chrom" 4. Security Context: Unconfined Expected Results: Chrome should run with special namespaces *and* SELinux process context, at least
Do I need to `chcon` after installing?
(I sent a support request to Google over 60 days ago on this) More complete command to verify that chromium-browser is running as an unconfined process (probably with namespaces): $ dnf install -y chromium; type -a chromium-browser; ls -alZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /etc/chromium/chromium.conf; chromium-browser & sleep 5; ps -aufxwZ | grep chromium-browser | grep unconfined Are these the current chromium docs for SELinux w/ Chromium (on Fedora, RedHat, ChromiumOS (where there's no `ls -alZ`),): - https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandboxing.md#selinux
Thank you Wes, we will look at it
Wes, I am sorry it took some time, but there is some progress now. What's the value of: semanage boolean -l | grep unconfined_chrome_sandbox_transition What happens if you change the type: chcon -t chrome_sandbox_exec_t /usr/lib64/chromium-browser/chromium-browser Notes to myself The wrapper scripts ends up executing: exec -a /usr/bin/chromium-browser /usr/lib64/chromium-browser/chromium-browser --enable-features=VaapiVideoEncoder,VaapiVideoDecodeLinuxGL --enable-plugins --enable-extensions --enable-user-scripts --enable-printing --enable-gpu-rasterization --enable-sync --auto-ssl-client-auth # ls -dlZ "$(which chromium-browser)" "$(readlink "$(which chromium-browser)")" /usr/lib64/chromium-browser/chromium-browser lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 52 25. říj 02.00 /usr/bin/chromium-browser -> ../../usr/lib64/chromium-browser/chromium-browser.sh -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 212500792 25. říj 02.00 /usr/lib64/chromium-browser/chromium-browser -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 2521 25. říj 02.00 ../../usr/lib64/chromium-browser/chromium-browser.sh # ls -lZ /usr/lib64/chromium-browser celkem 239720 -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1136072 25. říj 02.00 chrome_crashpad_handler -rwsr-xr-x. 1 root root system_u:object_r:chrome_sandbox_exec_t:s0 14992 25. říj 02.00 chrome-sandbox -rw-r--r--. 1 root root system_u:object_r:bin_t:s0 651485 25. říj 02.00 chrome_100_percent.pak -rw-r--r--. 1 root root system_u:object_r:bin_t:s0 1011330 25. říj 02.00 chrome_200_percent.pak -rwxr-xr-x. 1 root root system_u:object_r:chrome_sandbox_exec_t:s0 212500792 25. říj 02.00 chromium-browser -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 2521 25. říj 02.00 chromium-browser.sh ^^ note the difference -rw-r--r--. 1 root root system_u:object_r:bin_t:s0 10717392 25. říj 01.58 icudtl.dat -rwxr-xr-x. 1 root root system_u:object_r:textrel_shlib_t:s0 59880 25. říj 02.00 libEGL.so -rwxr-xr-x. 1 root root system_u:object_r:textrel_shlib_t:s0 6263776 25. říj 02.00 libGLESv2.so -rwxr-xr-x. 1 root root system_u:object_r:textrel_shlib_t:s0 25744 25. říj 02.00 libqt5_shim.so -rwxr-xr-x. 1 root root system_u:object_r:textrel_shlib_t:s0 3907232 25. říj 02.00 libvk_swiftshader.so -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 430040 25. říj 02.00 libvulkan.so.1 drwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 706 9. lis 10.58 locales -rw-r--r--. 1 root root system_u:object_r:bin_t:s0 8093748 25. říj 02.00 resources.pak -rw-r--r--. 1 root root system_u:object_r:bin_t:s0 107 25. říj 02.00 vk_swiftshader_icd.json -rw-r--r--. 1 root root system_u:object_r:bin_t:s0 626313 25. říj 02.00 v8_context_snapshot.bin
The chcon command makes the browser run in chrome_sandbox_t, but the domain requires more permissions so it does not feel like the proper usage. Checking further.
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days