-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/26/2011 03:32 PM, Christoph A. wrote: > Hi, > > this post might be of interest for you if since today's update in F13 > specific sandboxes are no longer working. > > I used to open files from the internet via sandboxes. > For example firefox uses the following bash script to open pdf files: > > #!/bin/bash > sandbox -X -w 1432x821 evince "$*" > > This is from originally from Dan's blog: > http://danwalsh.livejournal.com/31247.html?thread=214031 > > Since today, this no longer works due to changes in the handling of /tmp > (firefox stores the downloaded file in /tmp). > > Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64). > > The changes mention the handling of /tmp: > > "fix to sandbox - Fix seunshare to use more secure handling of /tmp - > Rewrite seunshare to make sure /tmp is mounted stickybit owned by root" > > https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?_csrf_token=84bda4a48f7b567fc380f85773927246eb5a0b17 > > which is probably related to Tavis Ormandy's post on FD > http://seclists.org/fulldisclosure/2011/Feb/585 > > I worked around the issue and modified the bash script: > > #!/bin/bash > cp "$*" ~/.tmp > sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`" > rm /home/user/.tmp/* > > This quick hack works for me, but maybe there is a nicer way ;) > > kind regards, > Christoph > > > > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Could you test http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33.8.fc13&type=build&match=glob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2SJnQACgkQrlYvE4MpobOQkwCfbghysnmi5D9fe/f8YOMUpQcc MUQAoOXxfxl/yZz3LX15Rxgvxovi5MZn =C0Us -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
