-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2012 08:40 AM, Dominick Grift wrote: > > > On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote: >> I would like to allow chromium within a sandbox to access KWallet running >> in KDE outside the sandbox, so that >> >> (a) my website passwords cannot be directly read from within a sandbox - >> access must be mediated by KWallet, which can prompt me for my KWallet >> password to confirm. So if I am prompted by KWallet while on a web page >> without a saved password, I will know something is amiss. (b) my website >> passwords are shared between sandboxes >> >> I say chromium because Firefox does not use an external wallet service. >> >> I've got part-way there. Here is what I've done so far: >> >> I found out that KWallet uses dbus to communicate (specifically, the >> session bus, because it's a desktop daemon). Because the dbus session bus >> is by default a unix socket in /tmp, which would be hidden by seunshare, >> I created /etc/dbus-1/session-local.conf as follows: >> >> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration >> 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> >> <busconfig> >> >> <listen>unix:tmpdir=/dev/shm</listen> >> >> </busconfig> >> >> and logged out and logged back in again in order to restart the session >> bus. >> >> I then passed the dbus socket name into the sandbox at creation time >> using >> >> env >> DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0 >> >> xterm >> >> as the command for sandbox to run. >> >> To run chromium I used >> >> chromium-browser --no-sandbox --password-store=kwallet >> >> A couple of iterations of audit2allow and semodule -i later, I had this >> policy module installed: >> >> allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket >> connectto; allow sandbox_web_client_t config_usr_t:dir read; allow >> sandbox_web_client_t unconfined_t:unix_stream_socket connectto; >> >> but chromium is still outputting to the terminal this when it tries to >> communicate with KWallet: >> >> ** (exe:9107): WARNING **: >> GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy >> prevents this sender from sending this message to this recipient, 0 >> matched rules; type="method_call", sender="(null)" (inactive) >> interface="org.freedesktop.DBus" member="Hello" error name="(unset)" >> requested_reply="0" destination="org.freedesktop.DBus" (bus) >> >> I can't find relevant entries in /var/log/audit.log at first glance, so >> maybe these are checks done by the dbus daemon itself, rather than the >> kernel. > > Also check /var/log/messages, dbus related avc denials go all over the > place. > > If you allow this then you probably allow your sandbox to dbus chat to any > user application running in the user domain > > If you confine kwallet then you should be able to restrict your sandbox to > only chat to kwallet via dbus. > > > >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Yes I would figure this is dbus blocking the communication. Dbus session bus would not be allowed to write to /var/log/audit/audit.log, so I believe messages would end up in /var/log/messages. This is an interesting use case. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlApNP0ACgkQrlYvE4MpobMTCwCgmnONDGhKqU6/rCXj5NofrcXN izUAnRTZZOum2m0a5V/2b5jtR//AUJKO =L/ET -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
