Linked by Thom Holwerda on Wed 3rd Jun 2009 11:21 UTC, submitted by Hakime
Google One of the defining features of Google's Chrome web browse is its sandboxing feature. You probably won't realise it's there, but from a security point of view, sand-boxing is one of the most impotant factors in browser security, as it severely limits the amount of damage a security hole can do: sure, you've got a hole in the browser, but thanks to sandboxing, you're pretty much locked in - until you break out of the sandbox, of course. Sandboxing on the Windows variant of Chrome was a "complicated affair", says Chromium developer Jeremy Moskovich, but for the Mac version, it's all a bit easier and more straightforward. On Linux, however, it's a mess.
Thread beginning with comment 366807
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: On the origin of species
by boldingd on Wed 3rd Jun 2009 15:51 UTC in reply to "RE[3]: On the origin of species"
Member since:

I had a Sidux Linux installation, with a separate /home partition. I installed Fedora 10 over Sidux, and tried to re-use my home partition. SELinux wouldn't let me log in. I created a new home directory for that user. No dice. I struggled with it for two hours. I turned off SELinux. A security solution that takes longer to correctly configure than the OS took to install is highly impractical, to be kind. (Or, rather, that to longer to figure out it was never going to work and turn off than the OS took to install.) It didn't help that, in true KDE fashion, there was more than one GUI app to control SELinux, and no clear guidance on which to use (the configurer I found first was a set-up wizard: the option to turn SELinux off was somewhere else entirely).

Reply Parent Score: 2

MattPie Member since:

I had a Sidux Linux installation, with a separate /home partition. I installed Fedora 10 over Sidux, and tried to re-use my home partition. SELinux wouldn't let me log in.

CentOS5/RHEL5 throw various SElinux errors if home directories are on NFS. Not very enterprise-y of them...

Reply Parent Score: 4

Finalzone Member since:

Just curious, have you relabeled your home directory first? Also, have you contacted one of SELinux team about the issue? It is good to ask help about the issue.

Edited 2009-06-03 19:51 UTC

Reply Parent Score: 3

boldingd Member since:

No, I didn't. Basically, I knew (and know now) nothing about what SELinux was and how it worked, and when it became obvious that a non-negligeable amount of work was going to have to go into getting it to work, I decided that it wasn't worth it and just turned it off. Most of the other distributions I've used manage to get along fine without it (or, they're very good at preventing me from noticing it): I wasn't going to go to much effort to get something working that I wasn't convinced I really, desperately needed.
I guess my point is that, if you want most/all main-stream distributions to ship and enable SELinux, it needs to be much, much more unobtrusive and self-configuring than it is. It probably should "just work" in most cases, and it should only require the user to do a lot of learning and configuring if the user wants to do something that's outside of, say, 95% of the normal use cases. Sticking /home/ on its own partition and re-using it is something that I've done several times, is not particularly unusual, and not something that I think a given distribution's security policy should add (several) extra steps too.

Shorter version: SELinux isn't important enough to be worth me doing a lot of homework.

Edit: Actually, I think I did do something along the lines of relabeling it. I seem to recall that I eventually did get logged-in, only to have SELinux generate dozens of warnings about blocking attempts to access a bunch of my account's various application configuration files. That was the point that I said, "this thing isn't worth the hassle," and turned it off.

Edited 2009-06-03 21:09 UTC

Reply Parent Score: 4