On Sat, Jan 12, 2019 at 9:05 PM Chris PeBenito <pebenito@xxxxxxxx> wrote: > > On 1/12/19 2:33 AM, Jason Zaman wrote: > > On Sat, Jan 12, 2019 at 04:19:09PM +1100, Russell Coker wrote: > >> This patch as requested renames mozilla to webbrowser and adds appropriate > >> typealias rules. > > > > Hm. the mozilla and chrome policies are pretty different tho. I dont > > like this merging thing, I think we should keep mozilla_t and chromium_t > > separate. I'm fixing up the gentoo chromium policy and i'll send it in a > > couple hrs. > > The chromium policy Jason posted is indeed slimmer than the current > mozilla policy (see Jason's thread), which would seem to indicate > keeping them separate. However, the mozilla policy is so big because > it's been around for a long time and has built up all of the various > odds and ends that a browser brings in, which could possibly be missing > from the chromium policy. > > I am on the fence. I could see going either way. Even though Mozilla browsers and Chrome/Chromium are both web browsers with Javascript engines, plugins, etc. they have strong differences. If I remember correctly: - Chromium uses a sandbox (which is labelled differently) contrary to Firefox ; - Chromium can interact with Multicast DNS (it listens on UDP port 5353 on my system, I guess for feature likes Chromecast) and I do not whether Firefox or Epiphany can do something similar, and I do not expect them to. Moreover some developers package apps with Electron, which uses a runtime based on Chromium (according to https://electronjs.org/docs/tutorial/about). Having a separate chromium policy might help creating a policy for such an app, though I am not sure about this. About the fact that mozilla policy has been around for a long time contrary to this new chromium policy, if it is an issue, it should be possible to compare Gentoo's policy with Fedora's one: it has a chrome module in contrib/ that has been around for a least 6 years according to https://github.com/fedora-selinux/selinux-policy-contrib/commits/rawhide?path%5B%5D=chrome.te . All of this remain my humble opinion on this subject and I am sharing it in order to help making a choice. I will of course understand if the choice of merging everything into a single web-browser module is being made (for example to ease the maintenance of the policy or to avoid introducing many types in the policy). Cheers, Nicolas
