1 |
On 4/12/12 7:09 AM, "Paweł Hajdan, Jr." wrote: |
2 |
> On 4/10/12 10:10 PM, "Paweł Hajdan, Jr." wrote: |
3 |
>> Chromium can be compiled to be SELinux-aware, and it forks itself (and |
4 |
>> doesn't call exec - so that the underlying files can be updated in-place |
5 |
>> without disrupting running browsers; this is because Chromium has |
6 |
>> multi-process architecture and browser<->renderer IPC protocol changes |
7 |
>> between versions). |
8 |
> |
9 |
> chromium-20.x (now in the cvs tree, hard masked) has selinux USE flag. |
10 |
> You can compile it yourself with USE=selinux and experiment with it, if |
11 |
> you want. |
12 |
|
13 |
What are next steps here? Previous e-mails in this thread contain |
14 |
suggested policy, and now chromium version with selinux support is in |
15 |
tree (hard masked). |
16 |
|
17 |
On #gentoo-hardened I received comments about unconfined_t usage in the |
18 |
policy, but I'd really like to keep the main browser process unconfined |
19 |
(see also <http://danwalsh.livejournal.com/15700.html>, and I don't want |
20 |
to create as complicated policy for chromium like the reference mozilla |
21 |
policy). |
22 |
|
23 |
Should I file a bug and attach the policy there? |