Linux: add support for SELinux.

Linux: add support for SELinux.

This patch adds support for a selinux GYP variable which, when set to
one, does the following:
  * Removes the seccomp sandbox from the compile
  * Removes support for SUID sandboxing from the zygote
  * Performs a dynamic transition, in the zygote, to
    chromium_renderer_t.

This code requires that the system policy have a sensible set of
access vectors for the chromium_renderer_t type. Such a policy will be
found in sandbox/selinux in the future.

[Evan Martin, 2009-09-15 18:42:11]

I'm not sure I'm a good person for reviewing security-sensitive code.  Do you
know anyone else who could help with selinux-related stuff?  Maybe ping the guy
who wrote that blog post?

[Evan Martin, 2009-09-15 18:45:51]

looks good, one point of confusion about changing that global flag

http://codereview.chromium.org/203071/diff/1/4
File chrome/browser/zygote_main_linux.cc (right):

http://codereview.chromium.org/203071/diff/1/4#newcode217
Line 217: #ifndef CHROMIUM_SELINUX
if !defined(

http://codereview.chromium.org/203071/diff/1/4#newcode365
Line 365: // This function trigger the static and lazy construction of objects
that need
triggers

http://codereview.chromium.org/203071/diff/1/4#newcode456
Line 456: #else  // !CHROMIUM_SELINUX
it might be less confusing to remove the ! here, since the code below is running
in that case

http://codereview.chromium.org/203071/diff/1/4#newcode475
Line 475: LOG(ERROR) << "dyntrans failed to type 'chromium_renderer_t'";
Is dyntrans a term selinux people would understand?

http://codereview.chromium.org/203071/diff/1/4#newcode485
Line 485: #if !defined(CHROMIUM_SELINUX)
why is this necessary?

[Amanda Walker, 2009-09-15 19:06:07]

On 2009/09/15 18:42:11, Evan Martin wrote:
> I'm not sure I'm a good person for reviewing security-sensitive code.  Do you
> know anyone else who could help with selinux-related stuff?

LGTM for the SELinux stuff.