Hi,
this post might be of interest for you if since today's update in F13 specific sandboxes are no longer working.
I used to open files from the internet via sandboxes. For example firefox uses the following bash script to open pdf files:
#!/bin/bash sandbox -X -w 1432x821 evince "$*"
This is from originally from Dan's blog: http://danwalsh.livejournal.com/31247.html?thread=214031
Since today, this no longer works due to changes in the handling of /tmp (firefox stores the downloaded file in /tmp).
Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
The changes mention the handling of /tmp:
"fix to sandbox - Fix seunshare to use more secure handling of /tmp - Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?_cs...
which is probably related to Tavis Ormandy's post on FD http://seclists.org/fulldisclosure/2011/Feb/585
I worked around the issue and modified the bash script:
#!/bin/bash cp "$*" ~/.tmp sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`" rm /home/user/.tmp/*
This quick hack works for me, but maybe there is a nicer way ;)
kind regards, Christoph
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/26/2011 03:32 PM, Christoph A. wrote:
Hi,
this post might be of interest for you if since today's update in F13 specific sandboxes are no longer working.
I used to open files from the internet via sandboxes. For example firefox uses the following bash script to open pdf files:
#!/bin/bash sandbox -X -w 1432x821 evince "$*"
This is from originally from Dan's blog: http://danwalsh.livejournal.com/31247.html?thread=214031
Since today, this no longer works due to changes in the handling of /tmp (firefox stores the downloaded file in /tmp).
Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
The changes mention the handling of /tmp:
"fix to sandbox - Fix seunshare to use more secure handling of /tmp - Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?_cs...
which is probably related to Tavis Ormandy's post on FD http://seclists.org/fulldisclosure/2011/Feb/585
I worked around the issue and modified the bash script:
#!/bin/bash cp "$*" ~/.tmp sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`" rm /home/user/.tmp/*
This quick hack works for me, but maybe there is a nicer way ;)
kind regards, Christoph
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Could you test
http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33.8....
On 03/29/2011 08:35 PM, Daniel J Walsh wrote:
Could you test
http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33.8....
I'll test it as soon as it hits the testing repo. Christoph
On 03/29/2011 08:35 PM, Daniel J Walsh wrote:
Could you test
http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33.8....
Hi Dan,
I can confirm that this update restores the sandbox functionality like it was before 2.0.83-33.7.fc13.x86_64.
thanks, Christoph
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/31/2011 03:33 PM, Christoph A. wrote:
On 03/29/2011 08:35 PM, Daniel J Walsh wrote:
Could you test
http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33.8....
Hi Dan,
I can confirm that this update restores the sandbox functionality like it was before 2.0.83-33.7.fc13.x86_64.
thanks, Christoph
Thanks update karma, please.
selinux@lists.fedoraproject.org
-
Christoph A. -
Daniel J Walsh