August 2010 - selinux - Fedora Mailing-Lists

by Christoph A.

Hi, I just noticed that I have over 100 processes running in the sandbox_web_client_t domain, although I closed all my sandbox windows. ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd 52 ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session' 51 Shouldn't they be killed after I closed all sandbox windows? Kind regards, Christoph

12 years, 3 months

5
11
0 / 0

SELinux and Shorewall with IPSets

by Mr Dash Four

Problems combining these 2 to run while SELinux is in 'enforced' mode (policy running is the 'stock' targeted one supplied with FC13). I get 2 audit alerts when Shorewall starts (and fails!) - see logs below. I have x86_64 arch machine with FC13 running. Stock Shorewall is installed. IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am getting the same errors). The problem seems to be caused by the Shorewall init script (see further below). The relevant part of my syslog when SELinux is in enforced mode is: =========SELinux=Enforcing================================ Jun 26 23:18:38 dev1 shorewall[2456]: Compiling... Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543): avc: denied { create } for pid=2577 comm="ipset" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544): avc: denied { create } for pid=2579 comm="ipset" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones... Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces... Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones... Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files... Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing /usr/share/shorewall/action.Drop... Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing /usr/share/shorewall/action.Reject... Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy... Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist... Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables : /etc/shorewall/blacklist (line 11) Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: Shorewall start failed ========================================================== When I switch SELinux to Permissive I get two further errors: =========SELinux=Permissive=============================== Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551): avc: denied { create } for pid=3799 comm="ipset" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552): avc: denied { getopt } for pid=3799 comm="ipset" lport=255 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553): avc: denied { setopt } for pid=3799 comm="ipset" lport=255 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces... Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones... Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files... Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing /usr/share/shorewall/action.Drop... Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing /usr/share/shorewall/action.Reject... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist... Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules... Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of Used-action List... Jun 26 23:32:45 dev1 shorewall[3678]: Processing /usr/share/shorewall/action.Reject for chain Reject... Jun 26 23:32:45 dev1 shorewall[3678]: Processing /usr/share/shorewall/action.Drop for chain Drop... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2... Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies... Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix... Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input for chains blacklst mangle:... Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled to /var/lib/shorewall/.start Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall.... Jun 26 23:32:45 dev1 shorewall[3678]: Initializing... Jun 26 23:32:46 dev1 kernel: u32 classifier Jun 26 23:32:46 dev1 kernel: Performance counters on Jun 26 23:32:46 dev1 kernel: input device check on Jun 26 23:32:46 dev1 kernel: Actions configured Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ... Jun 26 23:32:46 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-x1.ips Jun 26 23:32:46 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-x2.ips Jun 26 23:32:46 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-z1.ips Jun 26 23:32:47 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-z2.ips Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control... Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input... Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore... Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ... Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ... Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started ========================================================== The problem seems to be caused by the shorewall init script, which is: ===========Shorewall init script========================== modprobe ifb numifbs=1 ip link set dev ifb0 up # configure the ipsets sw_ips_mask='/etc/shorewall/ips/*.ips' ipset_exec='/usr/sbin/ipset' if [ "$COMMAND" = start ]; then $ipset_exec -F $ipset_exec -X for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do echo loading $c $ipset_exec -R < $c done fi ========================================================== The above script executes /usr/sbin/ipset to create my IP Sets needed for running Shorewall (all IP set commands are contained in those *.ips files). These IP sets comprise mainly of IP subnets which are part of my blacklists (banned IP subnets), though they also contain some IP Port sets as well. Don't know why SELinux denies "create" (and then "getopt" and "setopt") on a, what seems to be, raw ip socket (IPSet do not use/need one as far as I know!)? If I remove the IP Set part of the init script above and rearrange Shorewall to run without IPSets all is well, though its functionality is VERY limited and barely useful to me! Two questions to the SELinux gurus on here: 1) Why am I getting these alerts? and 2) How can I fix the problem so that I could run both Shorewall and IPSets with SELinux in Enforced mode? This is important for me as this is a production server and a lot of stuff runs on it and needs to be available 24/7. Many thanks in advance!

12 years, 8 months

4
57
0 / 0

netif labelling

by Mr Dash Four

I am trying to restrict an application I have installed to have access to a specific network interface only (tun0). Are all network interfaces labelled 'automatically' by SELinux with 'netif_xx_t' or do I have to label them manually from the policy file? If I have to do that manually is it done with the network_interface(...) macro? Also, if I relabel the interface would I have to amend all other policies for applications which need access to that interface (applications which use the 'generic' naming - netif_t) or is this not necessary? I've seen there is a macro in corenetwork.if.in called 'corenet_all_recvfrom_labelled' - is that macro allowing me to receive packets from labelled interface? Thanks in advance!

13 years

3
16
0 / 0

sandbox window size

by Christoph A.

Hi, as far as I have seen and read it is not possible to resize a SELinux sandbox window. Is it possible to specify the size of the sandbox at start-time? kind regards, Christoph

13 years

3
8
0 / 0

.autorelabel on mounted filesystems

by Dan Thurman

I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted. What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...} So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries? Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab. How do I solve this issue?

13 years

3
8
0 / 0

avc { module_request, relabelfrom }: openvpn->tun

by Mr Dash Four

When trying to start openvpn with 'service openvpn start' (selinux=enforced) I get the following avc (audit.log): ----audit.log--------------- type=AVC msg=audit(1281803077.151:21): avc: denied { module_request } for pid=1943 comm="openvpn" kmod="char-major-10-200" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1281803077.151:21): arch=40000003 syscall=5 success=no exit=-19 a0=80bf7b8 a1=2 a2=38 a3=96bd804 items=0 ppid=1 pid=1943 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) ------------------- -----var/log/messages------- Aug 14 17:24:37 test1 openvpn[1943]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19) Aug 14 17:24:37 test1 openvpn[1943]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Aug 14 17:24:37 test1 openvpn[1943]: Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2) Aug 14 17:24:37 test1 openvpn[1943]: Exiting ------------------- When I try to execute 'openvpn --mktun --dev tun0 --user nobody --group nobody' it works OK, but when I try to start openvpn it again fails with the following avc: ----audit.log--------------- type=AVC msg=audit(1281803362.451:23): avc: denied { relabelfrom } for pid=2007 comm="openvpn" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tun_socket type=SYSCALL msg=audit(1281803362.451:23): arch=40000003 syscall=54 success=no exit=-13 a0=5 a1=400454ca a2=bfb4c26c a3=87e4804 items=0 ppid=1 pid=2007 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) ------------------- -----var/log/messages------- Aug 14 17:29:22 test1 openvpn[2007]: Note: Cannot ioctl TUNSETIFF tun0: Permission denied (errno=13) Aug 14 17:29:22 test1 openvpn[2007]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Aug 14 17:29:22 test1 openvpn[2007]: Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2) Aug 14 17:29:22 test1 openvpn[2007]: Exiting ------------------- Any idea what might be the cause of this problem? openvpn normally tries to open tun0, assign its IP address, net mask and broadcast address, then reassign the routing on this particular machine - nothing suspicious really!

13 years

3
4
0 / 0

.autorelabel on mounted filesystems

by Dan Thurman

I have several versions of root distro partitions of which I do mount via fstab, but of course only one / and /boot partition is to be defined for the version to be booted. What I would like to know is, if I do an /.autorelabel, for one boot/root partition, does this mean that every mounted filesystem that appears in /etc/fstab also gets relabeled? If so, this is not what I want especially if other root distro partitions are being mounted for example, say: /md/{distro1, distro2, ...} So, How do I get around this? I could comment out all entries in /etc/fstab except / and /boot (plus the required entries), touch /.autorelabel, reboot, and once relabeling is completed, then add back in the commented out fstab entries, then issue a mount -a. Could I add an option entry say: NO_RELABEL to certain fstab entries? Since I was introduced to the /media since F9, I never could figure out how to add mounted "media" filesystems, which is why I added them instead to fstab. How do I solve this issue? -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

13 years, 1 month

3
2
0 / 0

Mlogc problem after aupgrade to F13

by Arthur Dent

Hello all, Back in April Dominick Grift kindly helped me to create a new policy module for mlogc on my Fedora11 installation. (The original correspondence can be seen here: http://lists.fedoraproject.org/pipermail/selinux/2010-April/012353.html) In the last couple of days I have upgraded to F13 and, despite copying and rebuilding the relevant policy modules, I am now getting another raft of AVCs relating to mlogc. To Summarise: ============= ModSecurity Log Collector (mlogc) is used to send ModSecurity audit log data to a console. It is installed as part of the Fedora rpm mod_security-2.5.12-1.fc13.i686 which I installed as part of the upgrade. The Actual Modsecurity Console (which receives the data) was installed from source using the same tarball as was used on my F11 install. With Dominick's help, these are the modules I created on the F11 box: ===========8<======================================================= # cat mymlogc.te policy_module(mymlogc, 1.0.10) type mlogc_t; type mlogc_exec_t; type mlogc_var_log_t; type mlogc_etc_t; logging_log_file(mlogc_var_log_t); logging_log_filetrans(mlogc_t, mlogc_var_log_t, { dir file }) application_domain(mlogc_t, mlogc_exec_t); role system_r types mlogc_t; # permissive mlogc_t; manage_dirs_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t) manage_files_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t) read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t) files_search_etc(mlogc_t) files_config_file(mlogc_etc_t) files_read_usr_symlinks(mlogc_t) files_read_etc_files(mlogc_t) files_list_tmp(mlogc_t) pcscd_read_pub_files(mlogc_t); pcscd_stream_connect(mlogc_t) miscfiles_read_localization(mlogc_t) miscfiles_read_certs(mlogc_t) dev_read_urand(mlogc_t) userdom_use_user_terminals(mlogc_t) #apache_manage_log(mlogc_t); kernel_read_system_state(mlogc_t) allow mlogc_t self:tcp_socket create_socket_perms; allow mlogc_t self:udp_socket create_socket_perms; allow mlogc_t self:netlink_route_socket create_netlink_socket_perms; allow mlogc_t self:process { setsched getsched }; allow mlogc_t self:capability { sys_nice dac_override }; allow mlogc_t self:sem create_sem_perms; corenet_all_recvfrom_netlabel(mlogc_t) corenet_all_recvfrom_unlabeled(mlogc_t) corenet_tcp_sendrecv_generic_if(mlogc_t) corenet_tcp_sendrecv_generic_node(mlogc_t) corenet_tcp_sendrecv_generic_port(mlogc_t) corenet_tcp_bind_generic_node(mlogc_t) corenet_sendrecv_generic_client_packets(mlogc_t) corenet_tcp_connect_generic_port(mlogc_t) ===========8<======================================================= ===========8<======================================================= # cat myapche.te policy_module(myapache, 1.0.2) gen_require(` type httpd_t; ') mlogc_domtrans(httpd_t) mlogc_manage_log(httpd_t) mlogc_signal(httpd_t) ===========8<======================================================= And these are the new denials. Some worrying ones such as requiring access to key files... There were 12 AVCs relating to a single incident, but I have removed ones I think are duplicates: Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.635:29370): avc: denied { write } for pid=3512 comm="mlogc" name="cert9.db" dev=sda6 ino=91782 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file node=troodos type=SYSCALL msg=audit(1281734421.635:29370): arch=40000003 syscall=5 success=no exit=-13 a0=b5926308 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.847:29371): avc: denied { write } for pid=3512 comm="mlogc" name="tmp" dev=sda6 ino=1549 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.847:29371): arch=40000003 syscall=33 success=no exit=-13 a0=1e6774 a1=7 a2=1fca64 a3=2 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.847:29373): avc: denied { write } for pid=3512 comm="mlogc" name="tmp" dev=sda6 ino=310 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.847:29373): arch=40000003 syscall=33 success=no exit=-13 a0=1e6778 a1=7 a2=1fca64 a3=4 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.847:29374): avc: denied { write } for pid=3512 comm="mlogc" name="/" dev=sda6 ino=2 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.847:29374): arch=40000003 syscall=33 success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.852:29376): avc: denied { write } for pid=3512 comm="mlogc" name="key4.db" dev=sda6 ino=19637 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file node=troodos type=SYSCALL msg=audit(1281734421.852:29376): arch=40000003 syscall=5 success=no exit=-13 a0=b5933cf8 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.861:29380): avc: denied { write } for pid=3512 comm="mlogc" name="/" dev=sda6 ino=2 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.861:29380): arch=40000003 syscall=33 success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) And this is what audit2allow makes of them... require { type mlogc_t; } #============= mlogc_t ============== files_delete_root_dir_entry(mlogc_t) files_delete_tmp_dir_entry(mlogc_t) miscfiles_manage_cert_files(mlogc_t) Should I add these to the above policy, or is there some other way? Thanks in advance for any help or suggestions... Mark

13 years, 1 month

2
7
0 / 0

sandbox: close one window -> closes them all

by Christoph A.

Hi, I'm experiencing severe problems my sandboxes. In some cases when I close a sandbox window, all other sandbox instances get closed/killed too. I can reproduce it as follows: - click on multiple random urls (not in the browser) -> multiple sandboxed firefox windows fire up (that is my default browser) - close one of these sandboxes -> all sandboxes get killed However I can not reproduce it by opening multiple sandboxes in the terminal. I'm currently using: policycoreutils-2.0.83-20.fc13.x86_64 to see if one of the latest updates introduced this issue I wanted to downgrade that package but that failed (dependencies) Is someone else (using the same version) experiencing the same behaviour? kind regards, Christoph

13 years, 1 month

2
2
0 / 0

sandbox: firefox

by Christoph A.

Hi, I regularly use firefox in a SELinux sandbox. Sometimes some strange behaviour arises: - scrolling results in zooming - every click on a link results in 'Save As' dialog - mouse can't leave the sandbox window (until the window gets closed with ctrl-w) - lets call it "strange" keyboard mapping: pressing keys results in actions within the firefox menu Somehow it looks like ctrl is pressed all the time. These symptoms don't come togheter. The 'mouse can' t leave' - problem occurred only twice. These symptoms usually occur while many tabs are open. Is anyone else experiencing similar behaviour? btw: If you are using a sandboxed firefox as your default browser through 'System' -> 'Preferences' -> 'Preferred Applications' -> Internet -> Command consider double quoting %s in the command -> '"%s"' or you might just get a black Xephyr window without firefox if your URL contains special chars. I guess this happens because these parameters get passed around (sandbox -> sandboxX.sh). Don't know if this should be considered a bug. kind regards, Christoph A.

13 years, 1 month

2
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2010