Hi, this post might be of interest for you if since today's update in F13 specific sandboxes are no longer working. I used to open files from the internet via sandboxes. For example firefox uses the following bash script to open pdf files: #!/bin/bash sandbox -X -w 1432x821 evince "$*" This is from originally from Dan's blog: http://danwalsh.livejournal.com/31247.html?thread=214031 Since today, this no longer works due to changes in the handling of /tmp (firefox stores the downloaded file in /tmp). Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64). The changes mention the handling of /tmp: "fix to sandbox - Fix seunshare to use more secure handling of /tmp - Rewrite seunshare to make sure /tmp is mounted stickybit owned by root" https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?_csrf_token=84bda4a48f7b567fc380f85773927246eb5a0b17 which is probably related to Tavis Ormandy's post on FD http://seclists.org/fulldisclosure/2011/Feb/585 I worked around the issue and modified the bash script: #!/bin/bash cp "$*" ~/.tmp sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`" rm /home/user/.tmp/* This quick hack works for me, but maybe there is a nicer way ;) kind regards, Christoph
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
