This is exactly what I¹m thinking. The benefit of google_isolated_app option is similar to that of isolated_app vs normal app. However, I think that the separation of isolated_app makes sense at DAC level, however, it is ambiguous at MAC level. Thus, I think mapping to the main app is better option for us (i.e., simpler and less risk).
Tai On 6/9/14, 12:48 PM, "Stephen Smalley" <[email protected]> wrote: >I guess the question for your policy is whether there would be any real >difference between google_isolated_app and google_app if you have to >allow access to google_app_data_file to both domains. You can certainly >map the Chrome sandbox process to either domain by adding an entry to >seapp_contexts with user=_isolated >seinfo=<whatever-seinfo-you-defined-in-mac_permissions.xml-for-google-apps >> >and have it take precedence over the default user=_isolated entry. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
