[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 5 months
sandbox cleanup?
by Christoph A.
Hi,
I just noticed that I have over 100 processes running in the
sandbox_web_client_t domain, although I closed all my sandbox windows.
ps auxZ|grep sandbox_web_client_t|grep -c /usr/libexec/gvfsd
52
ps auxZ|grep sandbox_web_client_t|grep -c '/bin/dbus-daemon --fork
--print-pid 5 --print-address 7 --session'
51
Shouldn't they be killed after I closed all sandbox windows?
Kind regards,
Christoph
12 years, 5 months
Re: new policy modules submission
by Dominick Grift
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2011 12:06 AM, Mr Dash Four wrote:
> See attached. I have enclosed 2 policy modules to start with and see how
> it goes. I also enclosed a readme file with some notes on these
> policies. Comments, suggestions are mostly welcome!
Hi,
I took a look at your policy modules. I would like to focus on the
transmission-daemon policy module.
I am not confident that any skype policy has a good chance of getting
adopted or any other gui user app for that matter.
The user space is not confined in a way yet to support gui user
application policy optimal, and until it is i do not want to waste time
on getting any gui user application policy accepted.
Confining transmission-daemon on the other hand seems like a good idea.
I have perused your policy and i rewrote it partly.
However i have only tested starting and stopping transmission-daemon.
I have not actually used it and so policy is missing.
Could you please test my policy and provide feedback to that it can be
extended?
There are some things to be noted:
The policy support a default setup. That is to say:
transmission-daemon-2.11-2.fc14.x86_64
No changes have been made. I just installed it and ran it.
Can you please do the same?
Here is my policy:
1. Add to corenetwork.te.in:
network_port(bittorrent_ctl, tcp,9091,s0)
I have not yet dealt with any other ports/connections. I would like to
see raw AVC denials of that if possible.
2. Add to init.te:
optional_policy(`
bittorrent_read_daemon_config_files(initrc_t)
')
3. The bittorrent policy module:
- -- a: bittorrent.te:
policy_module(bittorrent, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow bittorrent servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_bittorrentd_use_cifs, false)
## <desc>
## <p>
## Allow bittorrent servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_bittorrentd_use_nfs, false)
type bittorrentd_t;
type bittorrentd_exec_t;
init_daemon_domain(bittorrentd_t, bittorrentd_exec_t)
type bittorrentd_initrc_exec_t;
init_script_file(bittorrentd_initrc_exec_t)
type bittorrentd_etc_t;
files_config_file(bittorrentd_etc_t)
type bittorrentd_var_lib_t;
files_type(bittorrentd_var_lib_t)
type bittorrentd_var_log_t;
logging_log_file(bittorrentd_var_log_t)
########################################
#
# Local policy
#
allow bittorrentd_t self:capability { setgid setuid };
dontaudit bittorrentd_t self:capability sys_tty_config;
allow bittorrentd_t self:process { getsched setsched };
allow bittorrentd_t self:fifo_file rw_fifo_file_perms;
allow bittorrentd_t self:tcp_socket { accept listen };
allow bittorrentd_t self:unix_stream_socket create_socket_perms;
manage_dirs_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)
manage_files_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)
allow bittorrentd_t bittorrentd_var_log_t:file { create_file_perms
setattr_file_perms append_file_perms };
logging_log_filetrans(bittorrentd_t, bittorrentd_var_log_t, file)
kernel_read_network_state(bittorrentd_t)
corenet_all_recvfrom_unlabeled(bittorrentd_t)
corenet_all_recvfrom_netlabel(bittorrentd_t)
corenet_tcp_sendrecv_generic_if(bittorrentd_t)
corenet_udp_sendrecv_generic_if(bittorrentd_t)
corenet_tcp_sendrecv_generic_node(bittorrentd_t)
corenet_udp_sendrecv_generic_node(bittorrentd_t)
corenet_tcp_bind_generic_node(bittorrentd_t)
corenet_udp_bind_generic_node(bittorrentd_t)
corenet_tcp_bind_bittorrent_ctl_port(bittorrentd_t)
corenet_tcp_sendrecv_bittorrent_ctl_port(bittorrentd_t)
corenet_sendrecv_bittorrent_ctl_server_packets(bittorrentd_t)
dev_read_urand(bittorrentd_t)
domain_use_interactive_fds(bittorrentd_t)
files_search_var_lib(bittorrentd_t)
files_search_pids(bittorrentd_t)
fs_search_auto_mountpoints(bittorrentd_t)
auth_use_nsswitch(bittorrentd_t)
logging_send_syslog_msg(bittorrentd_t)
miscfiles_read_localization(bittorrentd_t)
miscfiles_read_public_files(bittorrentd_t)
tunable_policy(`allow_bittorrentd_use_cifs',`
fs_read_cifs_files(bittorrentd_t)
')
tunable_policy(`allow_bittorrentd_use_nfs',`
fs_read_nfs_files(bittorrentd_t)
')
optional_policy(`
seutil_sigchld_newrole(bittorrentd_t)
')
- -- b: bittorrent.if:
## <summary>Bittorrent peer-to-peer communications protocol for file
sharing.</summary>
########################################
## <summary>
## Read bittorrent daemon
## configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bittorrent_read_daemon_config_files',`
gen_require(`
type bittorrentd_etc_t;
')
files_search_etc($1)
allow $1 bittorrentd_etc_t:file read_file_perms;
')
- -- c: bittorrent.fc:
/etc/rc\.d/init\.d/transmission-daemon --
gen_context(system_u:object_r:bittorrentd_initrc_exec_t,s0)
/etc/sysconfig/transmission-daemon --
gen_context(system_u:object_r:bittorrentd_etc_t,s0)
/usr/bin/transmission-daemon --
gen_context(system_u:object_r:bittorrentd_exec_t,s0)
/var/lib/transmission(/.*)?
gen_context(system_u:object_r:bittorrentd_var_lib_t,s0)
/var/log/transmission-daemon\.log.* --
gen_context(system_u:object_r:bittorrentd_var_log_t,s0)
Please compare what i have to what you have and ask questions about why
my implementation differs from yours.
Here are a few basic comments:
1. i named the policy module bittorrent instead of transmission. This is
because there are many bittorrent servers i suspect. This class of
servers have similar properties and so it makes sense to group them all
in a single bittorrent domain.
2. I have labelled /etc/sysconfig/transmission-daemon: This is required
to make any bittorrent_admin functional. We want bittorrent_admin to be
able to define bittorrent server arguments (edit
/etc/sysconfig/transmission-daemon)
3. The transmission-daemon package installs only the following files:
/etc/rc.d/init.d/transmission-daemon
/etc/sysconfig/transmission-daemon
/usr/bin/transmission-daemon
/usr/share/man/man1/transmission-daemon.1.gz
/var/lib/transmission
The /etc/rc.d/init.d/transmission-daemon script defines
/var/log/name.log to be the default log file location. Yet there is no
log file location specified in the "server args". This seems to be a
bug, but it does not have to be if transmission-daemon logs to /var/log
by default without setting the log server arg.
I only started and stopped the server, and it did not create any log files.
4. The transmission-daemon lock and pid file are created by the init
script and not by transmission-daemon.
5. The default location for transmission-daemon content appears to be
/var/lib/transmission. The transmission-daemon created files and
directories below there (.config/transmission-daemon.*). I seems that
bittorrent_admin is expected to put the torrent content in the
applicable layers below that directory as i understand it.
Please try out my version of the policy on a clean and unmodified Fedora
14+ transmission-daemon installation, and provide feedback. Raw AVC
denials are preffered.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk26llkACgkQMlxVo39jgT8EnACfZP5CwHIfTmh+ZRK4WIB/F8l5
T7AAnR8kdQzljsqejmBaMSQ2vr4iq8LG
=crTe
-----END PGP SIGNATURE-----
12 years, 7 months
new policy modules submission
by Mr Dash Four
I have written quite a few policy modules for packages/application
which, as far as I know, are not yet covered by the main Fedora SE
policy (targeted). In fact, on all my machines the SE policies employed
there reached 100% coverage about 2 months ago and I am quite content
they are doing a pretty good job.
These policy have been gradually tweaked during the last few months and
I consider them reasonably stable (they have been in use for the past
5-6 months or so without major problems). So, to contribute to the
'common good' - is there a formal process for submission of new policy
modules for review (and possible inclusion into the main stream
-targeted policy with Fedora) or do I just go and do that through bugzilla?
12 years, 7 months
sandbox: open new firefox tab from outside
by Christoph A.
Hi,
I was using firefox within sandboxes for a while without perm. home
directory.
To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on
.mozilla) it is not possible to open multiple websites when specifying
the same sandbox homedir, hence I'm looking for a possibility to open
new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox
instance using:
firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
1. step:
start firefox:
sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
-remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option
(#632377) but would the policy allow the 'firefox -remote' command if
type and security level matches with the already running sandbox?
kind regards,
Christoph
12 years, 7 months
Pointer to known threats to test sVirt/SELinux for LXC/KVM
by sanjay
Hi! I am new to SELinux/sVirt domain. From the material I found on the net,
it is clear that sVirt/SELinux can provide an additional layer of security
for VMs implemented using LXCs and KVMs. I was wondering, if you can suggest
pointers to known threat cases that I can use to test/evaluate sVirt ? Your
help will be much appreciated.
Regards,
Sanjay
12 years, 7 months
dontaudit statement specifics
by Mr Dash Four
I have a bit of a conundrum - I have confined a propriety code with my
own policy file. As part of (normal) operation this program tries to
load the "net-pf-10" kernel module and since IPv6 is completely disabled
on the target system (via sysctl) that raises "kernel_t:system {
module_request }" avc.
I know I could add "dontaudit propriety_code_t kernel_t:system {
module_request };", but that would apply to *all* kernel modules, which
is not what I'd like (I want avc raised when this propriety code tries
to load any kernel module *except* "net-pf-10").
Is it possible to use dontaudit statement and include a specific kernel
module - net-pf-10 in my case - or is there a more appropriate solution
to this?
12 years, 8 months
iptables match based on source security context?
by Christoph A.
Hi,
I'd like to redirect traffic (for transparent proxying) coming from a
program running in a sandbox_net_t (or sandbox_web_t) sandbox, but as
far as I've seen there is no possibility to match/mark packets based on
there local security context origin.
Is that idea somehow possible?
thanks,
Christoph A.
12 years, 8 months
MLS and back from runlevel 3
by H S
Hi 2 all,
As the http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto said:
Configure the system to boot into run level 3 by default:
perl -p -i -e "s/^id:5:initdefault:/id:3:initdefault:/g" /etc/inittab
The when SE Linux execute MLS Policy instead of targeted, the system boots
always in runlevel3 mode?
I would like to run PostgreSQL DBMS based on MLS security policy.
But when the system boot in runlevel 3, I have som problems.
Is there any Idea that I come back to previous run level?
How ever when I did it, my screen was blinking, then I have nothing(black screen).
The system is Fedora 14, I have just installed selinux-policy-mls-3.9.7-38.fc14.noarch.rpm.
Regards,
Flora
12 years, 8 months
MLS and Desktop ENvironment
by H S
Please let me know how could I boot in to my fedora 14 system with selinux-mls policy, in runleve grater than 3 as the manual said?
(step by step commands / method)
Thanks,
12 years, 8 months
