>
does not work for me, but the error is different, now I get AVCs.
type=AVC msg=audit(1400172843.275:385): avc: denied { connectto } for
pid=24118 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c190,c873
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tclass=unix_stream_socket
To come back to this topic, which now is fairly old, I tried to add some
rules to the policy in an own module.
I'm on a fairly up-to-date system:
selinux-policy-sandbox-3.12.1-179.fc20.noarch
selinux-policy-doc-3.12.1-179.fc20.noarch
libpcap-1.5.3-1.fc20.x86_64
selinux-policy-devel-3.12.1-179.fc20.noarch
selinux-policy-targeted-3.12.1-179.fc20.noarch
selinux-policy-3.12.1-179.fc20.noarch
I did the following additions:
require {
type sandbox_web_t;
type xserver_misc_device_t;
type rtkit_daemon_t;
type sound_device_t;
type mozilla_plugin_t;
class process setrlimit;
class netlink_kobject_uevent_socket create;
class file { read };
class chr_file { open read write getattr };
class dbus send_msg;
class sem { unix_read unix_write };
}
#============= sandbox_web_t ==============
corenet_tcp_connect_http_port(sandbox_web_t)
corenet_tcp_connect_xserver_port(sandbox_web_t)
xserver_non_drawing_client(sandbox_web_t)
userdom_rw_inherited_user_tmpfs_files(sandbox_web_t)
userdom_manage_tmpfs_files(sandbox_web_t)
allow sandbox_web_t sound_device_t:chr_file { open read };
#
dontaudit sandbox_web_t rtkit_daemon_t:dbus send_msg;
dontaudit sandbox_web_t self:netlink_kobject_uevent_socket create;
dontaudit sandbox_web_t self:process setrlimit;
dontaudit sandbox_web_t xserver_misc_device_t:chr_file { read write
getattr };
dontaudit mozilla_plugin_t sandbox_web_t:sem { unix_read unix_write };
I'm not sure about the userdom tmpfs things, but with this sandbox -X
runs fairly well a firefox session with plugins.
Is this too open for a sandbox?
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform.,
http://www.lichtenwalder.name/
PGP Key fingerprint: 5EBB CEF6 CA30 A205 5ECA DABD 494E 113E 9D79 B7F4