On Thu, 2013-08-29 at 12:01 +0000, fedorauser wrote:
> >> What avc messages are you seeing?
> >
> > As Dominick anticipated I got:
> >
> > avc: denied { name_bind } for pid=23725 comm="tor" src=9150
> > scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458
> >
> >
> tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket
>
> The quickest (but dirty) fix seams to be to configure TBB to bind to
> another port (I used 9152 instead of tcp/9150).
> Changing the SocksPort in TBB's torrc + nis_enabled works for me, but I
> will build a new sandbox domain anyway.
>
> In the end I'd like to have sandbox type that is able to run TBB out
> of the box without nis_enabled.
>
> (Why is 9150 in tor_port_t anyway? Tor uses 9050 by default. Are there
> other common configurations that use 9150 for tor?)
>
> I tried to create a copy of sandbox_net_t (with different name) by
> copying the "sandbox_net_client_t local policy" section from
> sandboxX.te [1] and the "sandbox_x_domain_template(sandbox_net)" -
> line, but failed (typeattribute line).
>
> What would be *the* way to create a (renamed) copy of sandbox_net_t?
> (I'd prefer just to create an exact copy instead of approximating the
> domain via audit2allow runs.)
I showed you in the video how to create custom sandboxes.
sandbox_net_t is just another sandbox with full network access as far as
i know
So the procedure is pretty much the same as my video
to grant full network access you would do probably something like this:
policy_module(mysandbox, 1.0.0)
sandbox_x_domain_template(mysandbox)
# the below grants pretty much full access to the tcp/udp network
gen_require(`
attribute port_type;
')
allow mysandbox_t self:tcp_socket create_stream_socket_perms;
allow mysandbox_t self:udp_socket create_stream_socket_perms;
allow mysandbox_t port_type:tcp_socket { name_connect name_bind };
allow mysandbox_t port_type:udp_socket name_bind;
#EOF
After that its pretty much the same procedure as i demonstrated in my
video
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
