On 09/13/2010 06:54 PM, Daniel J Walsh wrote: > On 09/12/2010 08:54 AM, Christoph A. wrote: >> Hi, > >> I was using firefox within sandboxes for a while without perm. home >> directory. >> To store bookmarks, addons and so on, I started to use perm. homedir (-H). > >> Because firefox does not allow multiple concurrent sessions (lock on >> .mozilla) it is not possible to open multiple websites when specifying >> the same sandbox homedir, hence I'm looking for a possibility to open >> new websites within a running sandbox from outside. > >> Without sandboxes everyone can open new websites in a running firefox >> instance using: >> firefox -remote "openurl(http://www.mozilla.org)" > >> sandbox scenario: >> 1. step: >> start firefox: >> sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox > >> 2. step: >> sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox >> -remote "openurl(http://www.mozilla.org)" > >> My current attempts fail because I'm unable use the '-l' option >> (#632377) but would the policy allow the 'firefox -remote' command if >> type and security level matches with the already running sandbox? > >> kind regards, >> Christoph > > > > >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > I have gotten this to work, but it is not pretty. > > I created a file in homedir called firefox.sh > > It looks like > > cat homedir/firefox.sh > #!/bin/sh > DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)" > > Then > > sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l > s0:c100 /bin/sh ~/firefox.sh http://www.redhat.com > > Seems to work. > > The key thing is figuring out the DISPLAY. > > A possible solution would be to change the /usr/share/sandbox/sandboxX.sh > To the attached. > > Which creates a ~/seremote application within homedir that looks like > > #!/bin/sh -x > DISPLAY=:1 $* > > > :1 will be different for each additional sandbox. > > Then you could execute > > sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l > s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)" > > > And it will work. > > I will have to make policy changes to allow > > sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l > s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)" > > to work. Great! Let me know when these policy changes are available in FC13. This hole method of opening new urls in an existing sandbox will absolutely kill the argument '..but opening websites in sandboxes takes way more time then without sandbox' :) thanks, Christoph
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
