Archives
Archives
| From: | "Paweł Hajdan |
|---|---|
| To: | gentoo-hardened@l.g.o |
| Subject: | [gentoo-hardened] www-client/chromium SELinux sandbox |
| Date: | Tue, 10 Apr 2012 12:02:29 |
| Message-Id: | 4F841568.5000307@gentoo.org |
| 1 | I'm experimenting with Chromium SELinux sandbox |
| 2 | (<http://code.google.com/p/chromium/wiki/LinuxSandboxing>) and came up |
| 3 | with a working policy module (attached). |
| 4 | |
| 5 | Note that for that to be effective one has to compile chromium with |
| 6 | -Dselinux=1 gyp flag, and I've not yet committed such change to CVS |
| 7 | (waiting for 20.x dev channel release, so that it has a lot of testing |
| 8 | before unmasking). |
| 9 | |
| 10 | How does the attached policy look to you? (I'm SELinux newbie, although |
| 11 | I probably know Chromium pretty well as its developer and packager) |
| 12 | |
| 13 | You can also compare that with policy module written for Chromium by |
| 14 | another Chromium developer in 2010: |
| 15 | <http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/selinux/chromium-browser.te?view=markup> |
| 16 | |
| 17 | What are the next steps to add this policy to Gentoo? |
| File name | MIME type |
|---|---|
| chromium-browser.te | text/plain |
| signature.asc | application/pgp-signature |
| Subject | Author |
|---|---|
| Re: [gentoo-hardened] www-client/chromium SELinux sandbox | Sven Vermeulen <swift@g.o> |