SELinux hacker Dan Walsh looks at creating policies for the Google Chrome browser
on his weblog. His posting is a detailed look at creating SELinux policy for Chrome/Chromium, and, in particular, the Chromium sandbox
. "When I write new policy now, I default to permissive domains to make sure I don't blow up the user environment. I usually wait for the next version of the OS to turn permissive domains to enforcing domains. This means I will probably leave chrome_sandbox_t as a permissive domain for all of F12 and turn it enforcing in F13. This allows me to gather lots of AVC's and not force the user to disable SELinux [or] not use chrome. And hopefully allows me to write better policy. You can use the seinfo --permissive command to list all the permissive domains on your system.
to post comments)