| 1 |
On 4/12/12 7:09 AM, "Paweł Hajdan, Jr." wrote: |
| 2 |
> On 4/10/12 10:10 PM, "Paweł Hajdan, Jr." wrote: |
| 3 |
>> Chromium can be compiled to be SELinux-aware, and it forks itself (and |
| 4 |
>> doesn't call exec - so that the underlying files can be updated in-place |
| 5 |
>> without disrupting running browsers; this is because Chromium has |
| 6 |
>> multi-process architecture and browser<->renderer IPC protocol changes |
| 7 |
>> between versions). |
| 8 |
> |
| 9 |
> chromium-20.x (now in the cvs tree, hard masked) has selinux USE flag. |
| 10 |
> You can compile it yourself with USE=selinux and experiment with it, if |
| 11 |
> you want. |
| 12 |
|
| 13 |
What are next steps here? Previous e-mails in this thread contain |
| 14 |
suggested policy, and now chromium version with selinux support is in |
| 15 |
tree (hard masked). |
| 16 |
|
| 17 |
On #gentoo-hardened I received comments about unconfined_t usage in the |
| 18 |
policy, but I'd really like to keep the main browser process unconfined |
| 19 |
(see also <http://danwalsh.livejournal.com/15700.html>, and I don't want |
| 20 |
to create as complicated policy for chromium like the reference mozilla |
| 21 |
policy). |
| 22 |
|
| 23 |
Should I file a bug and attach the policy there? |
Archives