-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/06/2011 03:32 PM, Christoph A. wrote: > On 06/06/2011 09:23 PM, Christoph A. wrote: >> On 06/04/2011 03:10 AM, Christoph A. wrote: >>> "Could not start the gpg-agent program which is needed for you GnuPG >>> version denied." > >> starting thunderbird with gpg-agent like this: >> sandbox -X -t sandbox_net_t -H tb gpg-agent --daemon thunderbird > >> seams to solve the first error. > >> Next error: >> Error - encryption command failed >> /usr/bin/gpg --charset utf8 .... --list-secret-keys >> gpg: fatal: can't disable core dumps: Permission denied >> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/0 > >> getsebool -a|grep -i dump >> allow_daemons_dump_core --> on > >> So gpg is not allowed to disable coredumps. >> Is this a policy bug? >> (no AVCs) >> How can I allow gpg to disable core dumps? > > something similar to [1] is probably needed for sandbox_net_t too. > > allow sandbox_net_t self:process setrlimit; > correct? > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=610812 - -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux I am not sure what the ramifications of allowing a sandbox app to modify its hard limits. Currently no sandboxes are allowed this access. You can add a custom policy to allow this. I guess if you or someone else can make a compelling argument I can add this access or a boolean to add this access. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3uHsEACgkQrlYvE4MpobM9UgCglm0Nf35S1ISlZLoLoEgwObcD x6sAn0CQJln/PVoe0PEnDsctztiUqiRc =7EQq -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
