On 01/07/2016 04:57 PM, Michael Catanzaro wrote: > On Thu, 2016-01-07 at 15:57 -0500, Daniel J Walsh wrote: >> The only confinement for firefox/chrome right now is around their >> plugins. If epiphany uses a separate processes >> to try to sandbox them, we could wrap it with SELInux. > Yes, we have /usr/libexec/webkit2gtk-4.0/WebKitPluginProcess and > /usr/libexec/webkit2gtk-4.0/WebKitPluginProcess2 (alternative version, > linked to GTK+ 2 to make Flash work). > > Maybe the same policy you use for Chrome and Firefox would apply well > to WebKit? > > Michael > -- > desktop mailing list > desktop@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/desktop@xxxxxxxxxxxxxxxxxxxxxxx Yes it probably would with a few minor tweeks. Open a bugzilla on SELinux policy to handle it. Currently we have differerent policies for chrome and firefox, but we really should consolodate them into a single webplugin.te file. -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/desktop@xxxxxxxxxxxxxxxxxxxxxxx
