On 01/07/2016 04:57 PM, Michael Catanzaro wrote:
On Thu, 2016-01-07 at 15:57 -0500, Daniel J Walsh wrote:
> The only confinement for firefox/chrome right now is around their
> plugins. If epiphany uses a separate processes
> to try to sandbox them, we could wrap it with SELInux.
Yes, we have /usr/libexec/webkit2gtk-4.0/WebKitPluginProcess and
/usr/libexec/webkit2gtk-4.0/WebKitPluginProcess2 (alternative version,
linked to GTK+ 2 to make Flash work).
Maybe the same policy you use for Chrome and Firefox would apply well
to WebKit?
Michael
--
desktop mailing list
desktop(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/desktop@lists.fedoraproject.org Yes it
probably would with a few minor tweeks. Open a bugzilla on
SELinux policy to handle it.
Currently we have differerent policies for chrome and firefox, but we
really should consolodate
them into a single webplugin.te file.