Re: Running Tor Browser Bundle in a sandbox / creating a (modified) copy of sandbox_net_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

>> What avc messages are you seeing?
> 
> As Dominick anticipated I got:
> 
> avc: denied { name_bind } for pid=23725 comm="tor" src=9150 
> scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458
>
> 
tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket

The quickest (but dirty) fix seams to be to configure TBB to bind to
another port (I used 9152 instead of tcp/9150).
Changing the SocksPort in TBB's torrc + nis_enabled works for me, but I
will build a new sandbox domain anyway.

In the end I'd like to have sandbox type that is able to run TBB out
of the box without nis_enabled.

(Why is 9150 in tor_port_t anyway? Tor uses 9050 by default. Are there
other common configurations that use 9150 for tor?)

I tried to create a copy of sandbox_net_t (with different name) by
copying the "sandbox_net_client_t local policy" section from
sandboxX.te [1] and the "sandbox_x_domain_template(sandbox_net)" -
line, but failed (typeattribute line).

What would be *the* way to create a (renamed) copy of sandbox_net_t?
(I'd prefer just to create an exact copy instead of approximating the
domain via audit2allow runs.)

After having an exact copy I'd add allow rules to cover binding to
tcp/9150.

thanks!


[1]
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/sandboxX.te?h=f19-contrib#n455

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSHzg2AAoJEHgmGhf8XKddAT8IAJXzW/G2fV2h4GMc8VrXOIWI
vo0nGCg5sPsm0xkJrpTc/bAnbK9Vh+gEytzkK/uUoupalWa0onrQSKJB7z8j7xd7
LwOf2dsLqkmJrRXZDqZtr2YrQLKwEvilyvI+zXxfhmpMW9kyFCcjVOjk0CHB5haZ
Ji0nxBBuWY3ubrHxp+JhWFtKLIfkjrLDFPQCL8uh5ps6qAuPCzbpNBCGVoQXlrG3
A02ulM2bwacFU0XQhhYItKeVmxdeg4t85n076gLOGlAHVapeOtMwOOx4d1BGtt5j
pr0LsYudP57M9Zzmdrwlb2GYKEOXPIhWJf9TRqK9+G9xHsXQIKrVzGl/NA2so88=
=6ZuU
-----END PGP SIGNATURE-----

-------------------------------------------------

VFEmail.net - http://www.vfemail.net
$14.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux