One of the defining features of Google's Chrome web browse is its sandboxing feature. You probably won't realise it's there, but from a security point of view, sand-boxing is one of the most impotant factors in browser security, as it severely limits the amount of damage a security hole can do: sure, you've got a hole in the browser, but thanks to sandboxing, you're pretty much locked in - until you break out of the sandbox, of course. Sandboxing on the Windows variant of Chrome was a "complicated affair", says Chromium developer Jeremy Moskovich, but for the Mac version, it's all a bit easier and more straightforward. On Linux, however, it's a mess.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2009-02-19
No, I didn't. Basically, I knew (and know now) nothing about what SELinux was and how it worked, and when it became obvious that a non-negligeable amount of work was going to have to go into getting it to work, I decided that it wasn't worth it and just turned it off. Most of the other distributions I've used manage to get along fine without it (or, they're very good at preventing me from noticing it): I wasn't going to go to much effort to get something working that I wasn't convinced I really, desperately needed.
I guess my point is that, if you want most/all main-stream distributions to ship and enable SELinux, it needs to be much, much more unobtrusive and self-configuring than it is. It probably should "just work" in most cases, and it should only require the user to do a lot of learning and configuring if the user wants to do something that's outside of, say, 95% of the normal use cases. Sticking /home/ on its own partition and re-using it is something that I've done several times, is not particularly unusual, and not something that I think a given distribution's security policy should add (several) extra steps too.
Shorter version: SELinux isn't important enough to be worth me doing a lot of homework.
Edit: Actually, I think I did do something along the lines of relabeling it. I seem to recall that I eventually did get logged-in, only to have SELinux generate dozens of warnings about blocking attempts to access a bunch of my account's various application configuration files. That was the point that I said, "this thing isn't worth the hassle," and turned it off.
Edited 2009-06-03 21:09 UTC
Member since:
2005-07-06
Just curious, have you relabeled your home directory first? Also, have you contacted one of SELinux team about the issue? It is good to ask help about the issue.
Edited 2009-06-03 19:51 UTC