Brave sandbox in Secureblue

I use Secureblue and have 1 hour per day, free. I searched for information about SELinux with the goal of confining the Brave browser to keep user namespaces for users without privileges and gave up after several days of the difficulty of learning while maintaining the routine of my adult life.

I know the problems the browser faced in its history, including the CEO, VPN on Windows, affiliate identifier (…). The CEO of Brave created JavaScript - and we all use it.

Why use the Brave browser, if there is the Trivalent?
My case:
Brave has favorites E2E synchronization, CNAME uncloaking, Unlinkable Bouncing, Forgetful Browsing and Request Off the Record (OTR) ( Request “Off the Record” | Brave ), and the system of permissions..

Contains the built-in Tor network, it is useful for sensitive search: migration, etc. As you use Tor Browser, it is free, accessible to anyone, easy to use, and does not contain Gecko security issues, as well as having the ads blocker built in.

It provides the balance between the anonymity provided by Tor Browser and the security offered by Chromium-based browsers, creating a tender medium that is: privacy (not anonymity) combined with security.

The mentioned features, especially OTR, in addition to others, go beyond the character of making browsing private or secure - create awareness about cyber threats: a) adblock, ads, b) OTR, offline security, c) limited permissions in time, limits the danger of ads and websites with malicious behavior, etc.

Especially about b), I deal with real victims, including transsexual and others, who were saved by this functionality, and c) avoided social engineering escalated over time.

OTR helped me in my daily lives to get in touch and / or help victims, in addition to having been easy to convince abusers to allow the installation of Brave, and the permit system with time proved useful in avoiding leaving traces of contact that remain by carelessness caused by psychological pressure.

The benefits of these features outweigh, in my life, bugs that occurred in the browser story (any software is prone to bugs) or the CEO’s personal beliefs.

For these reasons Brave is indispensable for my model of threats and people I read, until another browser with similar features emerges.

In short: awareness is also security; privacy is also offline and cyber security.

"Oh, you’re a Brave fan!“ - I love simple solutions with real impact.

I am a fan of what my 80-year-old mother and any user with the minimum technical skill is able to use and that brings the greatest benefits to her.

In addition, the company having the thought that to maintain a safe development it takes money, and I recognize that the way she seeks this is the most appropriate within the context
in which we live.

I’m talking all about avoiding the topic’s deviation for recommendations to use Firefox, which happens all too often, sorry.

So my question is:

Has anyone here created a SELinux policy and would like to share? Whether using Secureblue or another project/distribution that uses SELinux.
“Go learn, it’s better for you!” - I’ve tried and I’ll come to the conclusion that it’s easier to learn by analyzing and comparing with the material than trying to go straight to the source, with the free time I have.

I also used Bubblejail and this is my current setting, I accept opinions on best practices/configurations:

[common]
executable_name = [
“/usr/bin/brave-browser-stable”,
“–disable-webgl”,
]

[wayland]

[network]

[home_share]
home_paths = [
“Downloads”,
]

[direct_rendering]

[pipewire]

[mpris]
player_name = “org.mpris.MediaPlayer2.brave.*”

[xdg_desktop_portal]
open_uri = false
trash = false

Observing Brave Flatpak looks like it needs some file contained in /etc/brave/policies, but I am not confident of granting this permission because I don’t know how to add using Root’s paths restricted permission using Bubblejail. Anyone have any idea what to do?

I accept advice involving:

• How to properly confine Brave using SELinux.
• SELinux free access teaching materials for non-technical users.
• Discussions about the use of Bubblejail in any language - your README is incomplete and I found discussions on Reddit where the author has no interest in, for example, showing where the settings are located, and the GUI is still incomplete. I managed to find the location of the settings, but my knowledge about the program is small.
  (I’ve used Arch’s website and everything in more)

While I prefer SELinux, I will ultimately use Bubblejail, and in a more extreme case, the Flatpak Brave for known sites and the Trivalent for strangers.

I followed all the discussions of the forum on Chromium/Brave/Navigators and Flatpaks, as well as discussions on Reddit and the recommendation of the Brave website itself.

I love Firefox, but it doesn’t serve me and doesn’t fit my family, in its current state, to more securely browse random sites.

I appreciate your help.

While this is my way, I will seek recommendations for others.
I pray that the Chromium derivative sandbox problem in Flatpak will be solved sometime.

Question: Why not ask this in some security forum or in Secureblue discussions?
Answer: Discord is not opening in Secureblue with VPN and Brave offers more privacy than security, which is the focus of the Trivalent, and this forum is more accessible to me. Also, I think there’s a better chance that someone here did something about using Brave on Secureblue.

A note on attack surface:

The absence of resources can lead to the addition of more programs or habits, which ultimately leads to increased attack surface and the danger of negligence.

We are human and to confuse with lack of attention is common. Remember that even Duckduckgo has already shown a fake Proton ad/site and Google showed fake announcement from Bitwarden. Although the aggressive shields in Brave and the complete mode of uBlock Origin can increase the attack surface, it also prevents ordinary people from facing this type of problem, since they trust in these companies to provide information about real websites.

Outside the topic, to discuss in other topics:
It can be valuable for the community to investigate the impacts of privacy tools and resources on the lives of vulnerable people, families and communities, in extreme poverty, domestic violence, gender violence, etc. Interesting situations and stories may arise.

Text translated by machine.
Interpret it in the best intention and let me give it a little if something becomes obscure or seems offensive.

I could be very off here but since you are in a Fedora distro variant when you install Brave it is already with the SELinux enforce mode and it gives you full SELinux enforcement out of the box. No extra steps are needed for basic security.

Check the status, run:

sestatus

You’ll see:

SELinux status: enabled
Current mode: enforcing

Brave runs with full SELinux mandatory access control from the moment you install it. Brave runs in unconfined_t with full SELinux MAC; user namespaces are allowed for unprivileged users.

About Bubblejail I can’t help much, personally I’ve decided to use Firejail instead because it already has several profiles created and for my case it has good integration with Apparmor.

There is some more info in a community wiki post here

Thank you for your answer Cyber-Typhoon!

He is enabled!

I ask if there is a way to enable usernamespaces for users without privileges to Brave and disable globally, as well as the Trivalent and Flatpak in Secureblue, and apply a SELinux policy more suited to the browsing context, because it seems that SELinux basic security is insufficient for standard protection on Linux Desktop?

It is a solution for those who understand that the subject creates custom policies for their applications, or something designed for servers and enthusiasts.

The feeling I have, after reading about the basic security of SELinux in Fedora, as well as the Linux kernel in general, is that basic security is too imperfect to protect the system / user, and that for this reason tools such as AppArmor, Firejail, SELinux, Flatpaks and the similar are so important in the different distributions / companies that provide the Linux-based operating system.

I may be wrong, so I am sorry for any mistake.

It was this thought that motivated me to seek advice from Web Browser being so critical, while Flatpak is not a safe option for Chromium-based browsers and allows namespaces for underprivileged users to be a huge (perhaps the largest?) attack vector.

For now I remain in Secureblue, but your information about the existence of ready-made profiles of Firejail, well integrated with AppArmor, were very useful, thank you!

Thank you for your answer any1!

I am still in the process of understanding the guide.

Tiredness has blinded me completely! Will I seek to understand the question of limiting the namespaces, perhaps it can interfere with the native sandbox? I don’t know, it’s an assumption, based on what he says.

Thank you for sending the guide!

unconfined services executed by unconfined Linux users end up running in the unconfined_t domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used.

So, not even “basic” MAC security is being applied to brave since it is unconfined. Just having selinux in enforcing mode means nothing for processes and users who run under a default unconfined type (most user space apps currently).

Don’t waste your time on writing good Selinux modules, if you only have one hour per day left. Selinux is difficult to learn with a lot of abstractions and Fedora’s policy is not well suited for confining desktop applications.

You can take a look into Secureblue’s Flatpak policy secureblue/files/scripts/selinux/flatpakfull at live · secureblue/secureblue · GitHub as an example on how to make a program run quasi unconfined and without Secureblue’s user namespace restrictions. The important part is secureblue/files/scripts/selinux/flatpakfull/flatpakfull.te at d69724fe37673925fe09f944fd2a5d75bf83156a · secureblue/secureblue · GitHub . It is the easiest way on how to let a program use user namespaces without disabling the namespace restrictions globally.

If you nevertheless want a more tailored policy, take a look into secureblue/files/scripts/selinux/trivalent at live · secureblue/secureblue · GitHub as a starting point and adapt it to Brave.