-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/13/2012 08:40 AM, Dominick Grift wrote:
On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote:
> I would like to allow chromium within a sandbox to access KWallet running
> in KDE outside the sandbox, so that
>
> (a) my website passwords cannot be directly read from within a sandbox -
> access must be mediated by KWallet, which can prompt me for my KWallet
> password to confirm. So if I am prompted by KWallet while on a web page
> without a saved password, I will know something is amiss. (b) my website
> passwords are shared between sandboxes
>
> I say chromium because Firefox does not use an external wallet service.
>
> I've got part-way there. Here is what I've done so far:
>
> I found out that KWallet uses dbus to communicate (specifically, the
> session bus, because it's a desktop daemon). Because the dbus session bus
> is by default a unix socket in /tmp, which would be hidden by seunshare,
> I created /etc/dbus-1/session-local.conf as follows:
>
> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
> 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> <busconfig>
>
> <listen>unix:tmpdir=/dev/shm</listen>
>
> </busconfig>
>
> and logged out and logged back in again in order to restart the session
> bus.
>
> I then passed the dbus socket name into the sandbox at creation time
> using
>
> env
>
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
>
>
xterm
>
> as the command for sandbox to run.
>
> To run chromium I used
>
> chromium-browser --no-sandbox --password-store=kwallet
>
> A couple of iterations of audit2allow and semodule -i later, I had this
> policy module installed:
>
> allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket
> connectto; allow sandbox_web_client_t config_usr_t:dir read; allow
> sandbox_web_client_t unconfined_t:unix_stream_socket connectto;
>
> but chromium is still outputting to the terminal this when it tries to
> communicate with KWallet:
>
> ** (exe:9107): WARNING **:
> GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy
> prevents this sender from sending this message to this recipient, 0
> matched rules; type="method_call", sender="(null)" (inactive)
> interface="org.freedesktop.DBus" member="Hello" error
name="(unset)"
> requested_reply="0" destination="org.freedesktop.DBus" (bus)
>
> I can't find relevant entries in /var/log/audit.log at first glance, so
> maybe these are checks done by the dbus daemon itself, rather than the
> kernel.
Also check /var/log/messages, dbus related avc denials go all over the
place.
If you allow this then you probably allow your sandbox to dbus chat to any
user application running in the user domain
If you confine kwallet then you should be able to restrict your sandbox to
only chat to kwallet via dbus.
> -- selinux mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes I would figure this is dbus blocking the communication. Dbus session bus
would not be allowed to write to /var/log/audit/audit.log, so I believe
messages would end up in /var/log/messages.
This is an interesting use case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAlApNP0ACgkQrlYvE4MpobMTCwCgmnONDGhKqU6/rCXj5NofrcXN
izUAnRTZZOum2m0a5V/2b5jtR//AUJKO
=L/ET
-----END PGP SIGNATURE-----