In selinux-policy-*.rpm I see that the SELinux policy files have special rules for /opt/google/chrome.
This means when Google releases new versions of Chrome, the policy files may be out of sync with Chromium's behavior.
It would be better if the policy files were kept upstream so that they could be released in parallel with Chrome releases.
These policy files could also be maintained for Chromium at the same time.
Upstream is receptive to patches and would be happy to either just rubber-stamp all changes you'd like to make to policy files or collaborate with you on making sure they are correct.
We are trying to control what the chrome-sandbox is allowed to do, since it is setuid. The bug that you are seeing is caused by a file/directory being created in the homedir with the wrong label on it. In F15 we did not have policycoreutils-restorecond installed by default, which would have fixed the mislabeled directory. We can add this to a comps file to make sure it gets installed in the future. In F16 we have the ability to label these files/directories correctly on creation. I have also disabled the transition from unconfined_t to chrome_sandbox_t by default. So chrome_sandbox will continue to run as unconfined_t to block this.
Confined user will still have this problem, but the fixes in F16 should mitigate it.
One thing I would like to see fixed in chrome-sandbox would be to break the executable in two. One exec to setup the sandbox environment that would require all of the capabilities, and then a second exe that would actually process the content. Then we could really lock down the chrome-sandbox process.
Where are you upstreaming the patches currently in http://git.fedorahosted.org/git/?p=selinux-policy.git ?
Does it go to the reference policy or individual upstreams?
Chromium definitely wants to host this policy.
We shouldn't have such large changes without upstream motion.
chrome policy is stored in reference policy upstream.
If you want to modify it, I would suggest you send patches there.
The problems we have seen with the chrome_sandbox policy have been related to labeling not so much the actual rules.
Do you want me to start extracting the Chrome-specific policy from http://git.fedorahosted.org/git/?p=selinux-policy.git and send patches to refpolicy?
No sorry, I thought the policy had been upstreamed. I guess you should report any problems with chrome policy to us.
Miroslav can you work to get chrome policy upstreamed.
Ok, I will send a patch to upstream.
Adam, I will add you to CC.
Since everyone else is doing it, I'll ping too. Happy new year! :)
I submitted the current Fedora policy for upstream acceptance.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
This message is a notice that Fedora 19 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 19. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 19 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.