Re: sandbox -X broken on FC20?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>
> 
> does not work for me, but the error is different, now I get AVCs.
> 
> type=AVC msg=audit(1400172843.275:385): avc:  denied  { connectto } for
>  pid=24118 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830
> scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c190,c873
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tclass=unix_stream_socket
> 

To come back to this topic, which now is fairly old, I tried to add some
rules to the policy in an own module.

I'm on a fairly up-to-date system:
selinux-policy-sandbox-3.12.1-179.fc20.noarch
selinux-policy-doc-3.12.1-179.fc20.noarch
libpcap-1.5.3-1.fc20.x86_64
selinux-policy-devel-3.12.1-179.fc20.noarch
selinux-policy-targeted-3.12.1-179.fc20.noarch
selinux-policy-3.12.1-179.fc20.noarch


I did the following additions:
require {
	type sandbox_web_t;
	type xserver_misc_device_t;
	type rtkit_daemon_t;
	type sound_device_t;
	type mozilla_plugin_t;
	class process setrlimit;
	class netlink_kobject_uevent_socket create;
	class file { read };
	class chr_file { open read write getattr };
	class dbus send_msg;
	class sem { unix_read unix_write };
}

#============= sandbox_web_t ==============
corenet_tcp_connect_http_port(sandbox_web_t)
corenet_tcp_connect_xserver_port(sandbox_web_t)
xserver_non_drawing_client(sandbox_web_t)
userdom_rw_inherited_user_tmpfs_files(sandbox_web_t)
userdom_manage_tmpfs_files(sandbox_web_t)
allow sandbox_web_t sound_device_t:chr_file { open read };
#
dontaudit sandbox_web_t rtkit_daemon_t:dbus send_msg;
dontaudit sandbox_web_t self:netlink_kobject_uevent_socket create;
dontaudit sandbox_web_t self:process setrlimit;
dontaudit sandbox_web_t xserver_misc_device_t:chr_file { read write
getattr };
dontaudit mozilla_plugin_t sandbox_web_t:sem { unix_read unix_write };

I'm not sure about the userdom tmpfs things, but with this sandbox -X
runs fairly well a firefox session with plugins.

Is this too open for a sandbox?

Klaus
-- 
------------------------------------------------------------------------
 Klaus Lichtenwalder, Dipl. Inform.,  http://www.lichtenwalder.name/
 PGP Key fingerprint: 5EBB CEF6 CA30 A205 5ECA  DABD 494E 113E 9D79 B7F4

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux