October 9th, 2009

Google Chrome Policy

I received my first bugzilla on the chromium-browser from Google  the other day for Fedora 12. 

I figured it was time to bite the bullet and try it out.  While it works pretty well, there are several SELinux issues. 
First it needs execmem.  Execmem means that the application wants to be able to write memory and execute the same memory it wrote.  This is a signature required for buffer overflow attacks.    But developers also use it for things like Just In Time compilation.

Not great, but I will label it execmem_exec_t and it runs.  

My machine has my login account setup as a confined user staff_t.  When I execute chromium-browser, I notice chromium execs chromium-sandbox, which generates a ton of AVC messages.

In order to get this to work with staff_t in enforcing mode,  I  have to write policy for the chromium-sandbox.
Collapse )

chomium-sandbox Policy.

I started writing a long blog last week on writing policy on Google Chromium Browser.  Saved it for my eyes only.  I finished writing it today and changed the date.  I then made it public, but for some reason the planets/aggregators  marked it as being written on Oct 2

You might have missed it.

Here is the link, if you are interested

http://danwalsh.livejournal.com/32759.html