-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2010 08:54 AM, Christoph A. wrote:
Hi,
I was using firefox within sandboxes for a while without perm. home
directory.
To store bookmarks, addons and so on, I started to use perm. homedir (-H).
Because firefox does not allow multiple concurrent sessions (lock on
.mozilla) it is not possible to open multiple websites when specifying
the same sandbox homedir, hence I'm looking for a possibility to open
new websites within a running sandbox from outside.
Without sandboxes everyone can open new websites in a running firefox
instance using:
firefox -remote "openurl(http://www.mozilla.org)"
sandbox scenario:
1. step:
start firefox:
sandbox -X -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
2. step:
sandbox -H homedir -T tempdir -t sandbox_web_t -l s0:c100,c100 firefox
-remote "openurl(http://www.mozilla.org)"
My current attempts fail because I'm unable use the '-l' option
(#632377) but would the policy allow the 'firefox -remote' command if
type and security level matches with the already running sandbox?
kind regards,
Christoph
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux I have gotten this to
work, but it is not pretty.
I created a file in homedir called firefox.sh
It looks like
cat homedir/firefox.sh
#!/bin/sh
DISPLAY=:1.0 /usr/bin/firefox -remote "openurl($1)"
Then
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/firefox.sh
http://www.redhat.com
Seems to work.
The key thing is figuring out the DISPLAY.
A possible solution would be to change the /usr/share/sandbox/sandboxX.sh
To the attached.
Which creates a ~/seremote application within homedir that looks like
#!/bin/sh -x
DISPLAY=:1 $*
:1 will be different for each additional sandbox.
Then you could execute
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 /bin/sh ~/seremote firefox -remote "openurl(http://www.redhat.com)"
And it will work.
I will have to make policy changes to allow
sandbox -H ~/sandbox/homedir -T ~/sandbox/tempdir -t sandbox_web_t -l
s0:c100 ~/seremote firefox -remote "openurl(http://www.redhat.com)"
to work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkyOZVUACgkQrlYvE4MpobP9AQCcDznCUgsZ6AYdVg/FXzKPfq7J
0QwAn1cRXFJ7hps0GUA/ukQb6ugkvFF7
=RoYb
-----END PGP SIGNATURE-----