On Thu, 2013-08-29 at 12:01 +0000, fedorauser wrote:
>> What avc messages are you seeing?
>
> As Dominick anticipated I got:
>
> avc: denied { name_bind } for pid=23725 comm="tor" src=9150
> scontext=unconfined_u:unconfined_r:sandbox_net_client_t:s0:c353,c458
>
>
tcontext=system_u:object_r:tor_port_t:s0 tclass=tcp_socket
The quickest (but dirty) fix seams to be to configure TBB to bind to
another port (I used 9152 instead of tcp/9150).
Changing the SocksPort in TBB's torrc + nis_enabled works for me, but I
will build a new sandbox domain anyway.
In the end I'd like to have sandbox type that is able to run TBB out
of the box without nis_enabled.
(Why is 9150 in tor_port_t anyway? Tor uses 9050 by default. Are there
other common configurations that use 9150 for tor?)
I tried to create a copy of sandbox_net_t (with different name) by
copying the "sandbox_net_client_t local policy" section from
sandboxX.te [1] and the "sandbox_x_domain_template(sandbox_net)" -
line, but failed (typeattribute line).
What would be *the* way to create a (renamed) copy of sandbox_net_t?
(I'd prefer just to create an exact copy instead of approximating the
domain via audit2allow runs.)
I showed you in the video how to create custom sandboxes.
sandbox_net_t is just another sandbox with full network access as far as
i know
So the procedure is pretty much the same as my video
to grant full network access you would do probably something like this:
policy_module(mysandbox, 1.0.0)
sandbox_x_domain_template(mysandbox)
# the below grants pretty much full access to the tcp/udp network
gen_require(`
attribute port_type;
')
allow mysandbox_t self:tcp_socket create_stream_socket_perms;
allow mysandbox_t self:udp_socket create_stream_socket_perms;
allow mysandbox_t port_type:tcp_socket { name_connect name_bind };
allow mysandbox_t port_type:udp_socket name_bind;
#EOF
After that its pretty much the same procedure as i demonstrated in my
video