On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote: > I would like to allow chromium within a sandbox to access KWallet > running in KDE outside the sandbox, so that > > (a) my website passwords cannot be directly read from within a sandbox > - access must be mediated by KWallet, which can prompt me for my > KWallet password to confirm. So if I am prompted by KWallet while on a > web page without a saved password, I will know something is amiss. > (b) my website passwords are shared between sandboxes > > I say chromium because Firefox does not use an external wallet service. > > I've got part-way there. Here is what I've done so far: > > I found out that KWallet uses dbus to communicate (specifically, the > session bus, because it's a desktop daemon). Because the dbus session > bus is by default a unix socket in /tmp, which would be hidden by > seunshare, I created /etc/dbus-1/session-local.conf as follows: > > <!DOCTYPE busconfig PUBLIC > "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" > "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> > <busconfig> > > <listen>unix:tmpdir=/dev/shm</listen> > > </busconfig> > > and logged out and logged back in again in order to restart the session bus. > > I then passed the dbus socket name into the sandbox at creation time using > > env DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0 > xterm > > as the command for sandbox to run. > > To run chromium I used > > chromium-browser --no-sandbox --password-store=kwallet > > A couple of iterations of audit2allow and semodule -i later, I had > this policy module installed: > > allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket connectto; > allow sandbox_web_client_t config_usr_t:dir read; > allow sandbox_web_client_t unconfined_t:unix_stream_socket connectto; > > but chromium is still outputting to the terminal this when it tries to > communicate with KWallet: > > ** (exe:9107): WARNING **: > GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy > prevents this sender from sending this message to this recipient, 0 > matched rules; type="method_call", sender="(null)" (inactive) > interface="org.freedesktop.DBus" member="Hello" error name="(unset)" > requested_reply="0" destination="org.freedesktop.DBus" (bus) > > I can't find relevant entries in /var/log/audit.log at first glance, > so maybe these are checks done by the dbus daemon itself, rather than > the kernel. Also check /var/log/messages, dbus related avc denials go all over the place. If you allow this then you probably allow your sandbox to dbus chat to any user application running in the user domain If you confine kwallet then you should be able to restrict your sandbox to only chat to kwallet via dbus. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
