On 09/12/2010 08:54 AM, Christoph A. wrote:
> Hi,
> I was using firefox within sandboxes for a while without perm. home
> directory.
> To store bookmarks, addons and so on, I started to use perm. homedir (-H).
> Because firefox does not allow multiple concurrent sessions (lock on
> .mozilla) it is not possible to open multiple websites when specifying
> the same sandbox homedir, hence I'm looking for a possibility to open
> new websites within a running sandbox from outside.
> Without sandboxes everyone can open new websites in a running firefox
> instance using:
> firefox -remote "openurl(http://www.mozilla.org)"
> sandbox scenario:
> 1. step:
> start firefox:
> sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
> 2. step:
> sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
> -remote "openurl(http://www.mozilla.org)"
> My current attempts fail because I'm unable use the '-l' option
> (#632377) but would the policy allow the 'firefox -remote' command if
> type and security level matches with the already running sandbox?
> kind regards,
> Christoph
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
I have gotten this to work, but it is not pretty.
I created a file in homedir called firefox.sh
It looks like
cat homedir/firefox.sh
#!/bin/sh
DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)"
Then
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/firefox.sh
http://www.redhat.com
Seems to work.
The key thing is figuring out the DISPLAY.
A possible solution would be to change the /usr/share/sandbox/sandboxX.sh
To the attached.
Which creates a ~/seremote application within homedir that looks like
#!/bin/sh -x
DISPLAY=:1 $*
:1 will be different for each additional sandbox.
Then you could execute
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)"
And it will work.
I will have to make policy changes to allow
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)"
to work.
Great! Let me know when these policy changes are available in FC13.
This hole method of opening new urls in an existing sandbox will
absolutely kill the argument
'..but opening websites in sandboxes takes way more time then without
sandbox' :)
thanks,
Christoph