2:32 p.m.
Hi,
this post might be of interest for you if since today's update in F13
specific sandboxes are no longer working.
I used to open files from the internet via sandboxes.
For example firefox uses the following bash script to open pdf files:
#!/bin/bash
sandbox -X -w 1432x821 evince "$*"
This is from originally from Dan's blog:
http://danwalsh.livejournal.com/31247.html?thread=214031
Since today, this no longer works due to changes in the handling of /tmp
(firefox stores the downloaded file in /tmp).
Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
The changes mention the handling of /tmp:
"fix to sandbox - Fix seunshare to use more secure handling of /tmp -
Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?...
which is probably related to Tavis Ormandy's post on FD
http://seclists.org/fulldisclosure/2011/Feb/585
I worked around the issue and modified the bash script:
#!/bin/bash
cp "$*" ~/.tmp
sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`"
rm /home/user/.tmp/*
This quick hack works for me, but maybe there is a nicer way ;)
kind regards,
Christoph
1:35 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/26/2011 03:32 PM, Christoph A. wrote:
Hi,
this post might be of interest for you if since today's update in F13
specific sandboxes are no longer working.
I used to open files from the internet via sandboxes.
For example firefox uses the following bash script to open pdf files:
#!/bin/bash
sandbox -X -w 1432x821 evince "$*"
This is from originally from Dan's blog:
http://danwalsh.livejournal.com/31247.html?thread=214031
Since today, this no longer works due to changes in the handling of /tmp
(firefox stores the downloaded file in /tmp).
Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
The changes mention the handling of /tmp:
"fix to sandbox - Fix seunshare to use more secure handling of /tmp -
Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?...
which is probably related to Tavis Ormandy's post on FD
http://seclists.org/fulldisclosure/2011/Feb/585
I worked around the issue and modified the bash script:
#!/bin/bash
cp "$*" ~/.tmp
sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`"
rm /home/user/.tmp/*
This quick hack works for me, but maybe there is a nicer way ;)
kind regards,
Christoph
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Could you test
http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2SJnQACgkQrlYvE4MpobOQkwCfbghysnmi5D9fe/f8YOMUpQcc
MUQAoOXxfxl/yZz3LX15Rxgvxovi5MZn
=C0Us
-----END PGP SIGNATURE-----
7:02 p.m.
On 03/29/2011 08:35 PM, Daniel J Walsh wrote:
I'll test it as soon as it hits the testing repo.
Christoph
2:33 p.m.
On 03/29/2011 08:35 PM, Daniel J Walsh wrote:
Hi Dan,
I can confirm that this update restores the sandbox functionality like
it was before 2.0.83-33.7.fc13.x86_64.
thanks,
Christoph
4:12 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/31/2011 03:33 PM, Christoph A. wrote:
On 03/29/2011 08:35 PM, Daniel J Walsh wrote:
> Could you test
>
>
http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33...
Hi Dan,
I can confirm that this update restores the sandbox functionality like
it was before 2.0.83-33.7.fc13.x86_64.
thanks,
Christoph
Thanks update karma, please.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2U7isACgkQrlYvE4MpobNk2QCdFa/tIhd9q2o/hBcGmuTYb03l
xrwAoMnEKKVE9DMA1QATsytDTS0QqXY1
=NKeJ
-----END PGP SIGNATURE-----
4775
days inactive
4780
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
Christoph A. -
Daniel J Walsh