Hi,
this post might be of interest for you if since today's update in F13
specific sandboxes are no longer working.
I used to open files from the internet via sandboxes.
For example firefox uses the following bash script to open pdf files:
#!/bin/bash
sandbox -X -w 1432x821 evince "$*"
This is from originally from Dan's blog:
http://danwalsh.livejournal.com/31247.html?thread=214031
Since today, this no longer works due to changes in the handling of /tmp
(firefox stores the downloaded file in /tmp).
Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
The changes mention the handling of /tmp:
"fix to sandbox - Fix seunshare to use more secure handling of /tmp -
Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?...
which is probably related to Tavis Ormandy's post on FD
http://seclists.org/fulldisclosure/2011/Feb/585
I worked around the issue and modified the bash script:
#!/bin/bash
cp "$*" ~/.tmp
sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`"
rm /home/user/.tmp/*
This quick hack works for me, but maybe there is a nicer way ;)
kind regards,
Christoph