-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2010 08:54 AM, Christoph A. wrote: > Hi, > > I was using firefox within sandboxes for a while without perm. home > directory. > To store bookmarks, addons and so on, I started to use perm. homedir (-H). > > Because firefox does not allow multiple concurrent sessions (lock on > .mozilla) it is not possible to open multiple websites when specifying > the same sandbox homedir, hence I'm looking for a possibility to open > new websites within a running sandbox from outside. > > Without sandboxes everyone can open new websites in a running firefox > instance using: > firefox -remote "openurl(http://www.mozilla.org)" > > sandbox scenario: > 1. step: > start firefox: > sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox > > 2. step: > sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox > -remote "openurl(http://www.mozilla.org)" > > My current attempts fail because I'm unable use the '-l' option > (#632377) but would the policy allow the 'firefox -remote' command if > type and security level matches with the already running sandbox? > > kind regards, > Christoph > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux I have gotten this to work, but it is not pretty. I created a file in homedir called firefox.sh It looks like cat homedir/firefox.sh #!/bin/sh DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)" Then sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 /bin/sh ~/firefox.sh http://www.redhat.com Seems to work. The key thing is figuring out the DISPLAY. A possible solution would be to change the /usr/share/sandbox/sandboxX.sh To the attached. Which creates a ~/seremote application within homedir that looks like #!/bin/sh -x DISPLAY=:1 $* :1 will be different for each additional sandbox. Then you could execute sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)" And it will work. I will have to make policy changes to allow sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)" to work. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyOZVUACgkQrlYvE4MpobP9AQCcDznCUgsZ6AYdVg/FXzKPfq7J 0QwAn1cRXFJ7hps0GUA/ukQb6ugkvFF7 =RoYb -----END PGP SIGNATURE-----
Attachment:
sandboxX.sh
Description: application/shellscript
Attachment:
sandboxX.sh.sig
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux