Created attachment 309509 [details]
I'm submitting my draft of SELinux policy for www-client/chromium (.te and .fc files).
Created attachment 309511 [details]
Created attachment 311157 [details]
Updated chromium-browser.te, now uses more interfaces. Requires >=selinux-base-policy-2.20120215-r7
Created attachment 311175 [details]
Updated chromium-browser.te to tighten the tmp files policy.
Created attachment 311757 [details]
Now confines chromium_t.
Created attachment 311759 [details]
Can this bug either be fixed, or chromium modified. Otherwise it is impossible to use chromium in conjunction with selinux.
Well, the domain_dyntrans_type is still a thorn in the eye and there is a domain_auto_trans that shouldn't be there (if you want unconfined to call chromium_exec_t, there should be a chromium_run() interface for unconfined roles).
It might be good to push the policies to refpolicy mailinglist as well for a good review. We're trying to stick close to it (and also backport the changes made there) and since this one contains quite a few "weird" things I'm not certain it is fine to just load it in.
Will be part of rev 16
Is in the 2.20120725-r1, now in hardened-dev overlay
(In reply to comment #7)
> It might be good to push the policies to refpolicy mailinglist as well for a
> good review. We're trying to stick close to it (and also backport the
> changes made there) and since this one contains quite a few "weird" things
> I'm not certain it is fine to just load it in.
Agreed, it's a good idea. If you want me to do that, please let me know.
By the way, I noticed some people are using SELinux+chromium here (e.g. pauldv). Please also send feedback to me, even if it's just "just works" or "broken" (more details are welcome, but sometime people are short on time).
Thanks Sven for your work on this bug!
In main tree, ~arch'ed (rev 5)