On 01/07/2016 04:57 PM, Michael Catanzaro wrote:
On Thu, 2016-01-07 at 15:57 -0500, Daniel J Walsh wrote:
The only confinement for firefox/chrome right now is around their plugins. If epiphany uses a separate processes to try to sandbox them, we could wrap it with SELInux.
Yes, we have /usr/libexec/webkit2gtk-4.0/WebKitPluginProcess and /usr/libexec/webkit2gtk-4.0/WebKitPluginProcess2 (alternative version, linked to GTK+ 2 to make Flash work).
Maybe the same policy you use for Chrome and Firefox would apply well to WebKit?
Michael
desktop mailing list desktop@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/desktop@lists.fedoraproject.org
Yes it probably would with a few minor tweeks. Open a bugzilla on SELinux policy to handle it.
Currently we have differerent policies for chrome and firefox, but we really should consolodate them into a single webplugin.te file.