[andrewflnr]

FWIW, SELinux is probably more widespread than you think. Fedora desktop is pretty popular, and has shipped with SELinux enabled by default for a while now. Now whether it has a usefully locked down ruleset for the scenario at hand, I couldn't say.

[jcrawfordor]

I'm just going from my personal experience here, but I think on platforms with SELinux enabled (mostly just RHEL derivatives) most people are using unconfined web browsers. SELinux is tricky because you can enable it and still have it do very little or even nothing, and this tends to be the case on desktop distributions. If you install Firefox manually to get a recent version or install Chrome at all, then you most likely don't have policy for them and they're running unconfined, and so are their files (besides the policy that all other applications are likely to share).

This wouldn't be so much of a concern if they offloaded encrypting the cookies to some kind of security service that would be sensitive and so almost certainly have strict SELinux policy around it, but at least Chrome on Linux implements the encryption itself using a flimsy hardcoded key. It's hard to blame them, because there isn't really an option to offload secret-keeping in Linux that is uniformly available and usable.