Re: Allowing access to session dbus from sandbox

I would like to allow chromium within a sandbox to access KWallet running in KDE outside the sandbox, so that (a) my website passwords cannot be directly read from within a sandbox - access must be mediated by KWallet, which can prompt me for my KWallet password to confirm. So if I am prompted by KWallet while on a web page without a saved password, I will know something is amiss. (b) my website passwords are shared between sandboxes I say chromium because Firefox does not use an external wallet service. I've got part-way there. Here is what I've done so far: I found out that KWallet uses dbus to communicate (specifically, the session bus, because it's a desktop daemon). Because the dbus session bus is by default a unix socket in /tmp, which would be hidden by seunshare, I created /etc/dbus-1/session-local.conf as follows: <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <listen>unix:tmpdir=/dev/shm</listen> </busconfig> and logged out and logged back in again in order to restart the session bus. I then passed the dbus socket name into the sandbox at creation time using env DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0 xterm as the command for sandbox to run. To run chromium I used chromium-browser --no-sandbox --password-store=kwallet A couple of iterations of audit2allow and semodule -i later, I had this policy module installed: allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket connectto; allow sandbox_web_client_t config_usr_t:dir read; allow sandbox_web_client_t unconfined_t:unix_stream_socket connectto; but chromium is still outputting to the terminal this when it tries to communicate with KWallet: ** (exe:9107): WARNING **: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) I can't find relevant entries in /var/log/audit.log at first glance, so maybe these are checks done by the dbus daemon itself, rather than the kernel.

-- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux