Announcement the se-sandbox-runner - selinux - Fedora Mailing-Lists

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Announcement the se-sandbox-runner

SELinux constrain policy for...

Back to FC 19 AVCs

Alex Roithman

Friday, 23 August 2013 Fri, 23 Aug '13

3:11 p.m.

Hi, i wrote the simple Qt-wrap for SELinux Sandbox (sandbox utility) and created the ReviewRequest: https://bugzilla.redhat.com/show_bug.cgi?id=999366 I hope that you are interested in it. Maybe someone wish to complete the review or advice about his work. Fl@sh.

Attachments:

attachment.html (text/html — 284 bytes)

Reply

Show replies by date

Daniel J Walsh

Monday, 26 August Mon, 26 Aug

1:48 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/23/2013 04:11 PM, kaperang07(a)gmail.com wrote:

Hi, i wrote the simple Qt-wrap for SELinux Sandbox (sandbox utility) and created the ReviewRequest: https://bugzilla.redhat.com/show_bug.cgi?id=999366 I hope that you are interested in it. Maybe someone wish to complete the review or advice about his work. Fl@sh. -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

I am not a kde/qt guy. What does this app do? Do you have any screen shots of using it?

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIbovgACgkQrlYvE4MpobM8sgCfT4FQ/hKBpf9NvXf9yETSoX62 8WgAn3kknv+UE/oGcdfRgJcUBfqGMSkO =tn1i -----END PGP SIGNATURE-----

Reply

Fl＠sh

2:11 p.m.

On Mon, 26 Aug 2013 14:48:24 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote:

I am not a kde/qt guy. What does this app do? Do you have any screen shots of using it?

It is a simple qt-wrapper of sandbox utility. http://img.flashtux.org/img1332c0a32204x3d62c894.png It`s a tray applet for using a list of configured jobs, running into sandbox. It run/kill this jobs. Configuration of job is divided into simple sections for user convenience. Terminal applications can runs in the sandboxed terminal, selected by the user. It gives the opportunity to work with such applications interactively. The only difference is the absence of a key "-i", because it is completely replaced by the key "-I" for the file with the list of included files. -- Fl@sh

Reply

Daniel J Walsh

2:30 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/26/2013 03:11 PM, Fl@sh wrote:

On Mon, 26 Aug 2013 14:48:24 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote: > I am not a kde/qt guy. What does this app do? Do you have any screen > shots of using it? It is a simple qt-wrapper of sandbox utility. http://img.flashtux.org/img1332c0a32204x3d62c894.png It`s a tray applet for using a list of configured jobs, running into sandbox. It run/kill this jobs. Configuration of job is divided into simple sections for user convenience. Terminal applications can runs in the sandboxed terminal, selected by the user. It gives the opportunity to work with such applications interactively. The only difference is the absence of a key "-i", because it is completely replaced by the key "-I" for the file with the list of included files.

You mispelled "Secuity Level" Looks good though.

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIbrOgACgkQrlYvE4MpobNwFQCg0YtlKfWqM5foGfyhc3FS1W/V I1AAoOTBXDu3eZ2ArEOGY92hvAqLYQHm =qh5G -----END PGP SIGNATURE-----

Reply

Fl＠sh

Tuesday, 27 August Tue, 27 Aug

2:32 p.m.

On Mon, 26 Aug 2013 15:30:48 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote:

You mispelled "Secuity Level"

Could you describe in more detail a cases (or with which keys) in which the Security Level can to be used ? And as I now realize, I should to add into the "Security Level" ComboBox value "Random" (or "Default")? -- Fl@sh

Reply

Daniel J Walsh

2:38 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/27/2013 03:32 PM, Fl@sh wrote:

On Mon, 26 Aug 2013 15:30:48 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote: > You misspelled "Secuity Level" > Could you describe in more detail a cases (or with which keys) in which the Security Level can to be used ? And as I now realize, I should to add into the "Security Level" ComboBox value "Random" (or "Default")?

Well in most cases Dynamic should be used. If you had a static directory that you wanted to use with a sandbox then you might want to choose a MCS Category to permanently assign to it. Say you created ~/myfirefoxhome. Then you could assign it the labels s0:c111,c222 chcon -t sandbox_file_t -l s0:c111,c222 ~/myfirefoxhome Now you would want to allow the user to specify the permanant homedir and the level s0:c111,c222 to run his sandbox.

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIdAE8ACgkQrlYvE4MpobPi2wCeI18+c0LLZbmd+PugwiXJCvkV 2MYAn1E+Tu+1MWF+FFwDxWM9MmpkHleE =q2BH -----END PGP SIGNATURE-----

Reply

Fl＠sh

Wednesday, 28 August Wed, 28 Aug

3:40 a.m.

On Tue, 27 Aug 2013 15:38:55 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote:

Well in most cases Dynamic should be used. If you had a static directory that you wanted to use with a sandbox then you might want to choose a MCS Category to permanently assign to it. Say you created ~/myfirefoxhome. Then you could assign it the labels s0:c111,c222 chcon -t sandbox_file_t -l s0:c111,c222 ~/myfirefoxhome Now you would want to allow the user to specify the permanant homedir and the level s0:c111,c222 to run his sandbox.

That is, if homedir and tempdir labels are different, so must specify labels for each directory? Example: sandbox .... -l s0:c<HomeDir_conext1>,c<HomeDir_conext2> -l s0:c<TempDir_conext1>,c<TempDir_conext2> ... -- Fl@sh

Reply

Fl＠sh

Thursday, 29 August Thu, 29 Aug

2:56 a.m.

Let me ask another question: -S - session Run a full desktop session, Requires level, and home and tmpdir. I understand correctly that level, and home and tmpdir should be strictly defined and sandbox does not generate random directories and default labels? -- Fl@sh

Reply

Daniel J Walsh

7:16 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/29/2013 03:56 AM, Fl@sh wrote:

Let me ask another question: -S - session Run a full desktop session, Requires level, and home and tmpdir. I understand correctly that level, and home and tmpdir should be strictly defined and sandbox does not generate random directories and default labels?

Yes that is the idea. I actually do not believe you should put this into your gui. It is too advanced a feature and users will screw it up.

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIfO5AACgkQrlYvE4MpobP+sQCgymFg/kKkFsuMUUNj/VDTdi4C sGUAoJNnO8az2Q903XyWv0CLH4NpzHVI =pLf4 -----END PGP SIGNATURE-----

Reply

Fl＠sh

Friday, 30 August Fri, 30 Aug

5:07 a.m.

On Thu, 29 Aug 2013 08:16:16 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote:

... I actually do not believe you should put this into your gui. It is too advanced a feature and users will screw it up.

Maybe you're right :D I could not run a sandboxed session in the terminal even. Could you describe in detail everything that need for this? :) -- Fl@sh

Reply

Daniel J Walsh

8:39 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/30/2013 06:07 AM, Fl@sh wrote:

On Thu, 29 Aug 2013 08:16:16 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote: > ... I actually do not believe you should put this into your gui. It is > too advanced a feature and users will screw it up. Maybe you're right :D I could not run a sandboxed session in the terminal even. Could you describe in detail everything that need for this? :)

Have not done it for a while. You have to label the home dir and tmp dir with the same label as you are going to run. Then you might need an improved type to get it to start. Don't know if anyone has done it with latest Gnome3 code.

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIgoKYACgkQrlYvE4MpobOIagCffcKdQLaEeNIKvIirvoLt79+4 uG8An35wV3fKm+Fx6yY4zCSHv7P4rA+1 =6gKH -----END PGP SIGNATURE-----

Reply

Fl＠sh

1:31 p.m.

On Fri, 30 Aug 2013 09:39:50 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote:

Have not done it for a while. You have to label the home dir and tmp dir with the same label as you are going to run. Then you might need an improved type to get it to start.

I`m done: # chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_HOME # chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_TMP $ ls -Z . | grep 123 -rw-rw-r--. Flash Flash unconfined_u:object_r:user_home_t:s0 123 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP $ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S blink X-window, then nothing... $ What i do not so? And what this -- "an IMPROVED TYPE to get it to start" ? -- Fl@sh

Reply

Daniel J Walsh

3:07 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/30/2013 02:31 PM, Fl@sh wrote:

On Fri, 30 Aug 2013 09:39:50 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote: > Have not done it for a while. You have to label the home dir and tmp dir > with the same label as you are going to run. Then you might need an > improved type to get it to start. I`m done: # chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_HOME # chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_TMP $ ls -Z . | grep 123 -rw-rw-r--. Flash Flash unconfined_u:object_r:user_home_t:s0 123 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP $ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S blink X-window, then nothing... $ What i do not so? And what this -- "an IMPROVED TYPE to get it to start" ?

Try it in permissive mode.

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIg+48ACgkQrlYvE4MpobP37ACgpYfQxX1Jx8zRKFPAwJYKC6vR ZGEAoLFRyplUn3UkzKNuaREbZeBvPo+L =sKr5 -----END PGP SIGNATURE-----

Reply

Fl＠sh

Saturday, 31 August Sat, 31 Aug

3:54 a.m.

On Fri, 30 Aug 2013 16:07:43 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote: ...

> Try it in permissive mode.

Unfortunately, does not work in this mode too. :( $ ls -Z . | grep 456 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP $ su -c getenforce Permissive $ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S blink X-window, then nothing... $ -- Fl@sh

Reply

Daniel J Walsh

Tuesday, 3 September Tue, 3 Sep

8:01 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2013 04:54 AM, Fl@sh wrote:

On Fri, 30 Aug 2013 16:07:43 -0400 Daniel J Walsh <dwalsh(a)redhat.com> wrote: ... >> > Try it in permissive mode. > Unfortunately, does not work in this mode too. :( $ ls -Z . | grep 456 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP $ su -c getenforce Permissive $ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S blink X-window, then nothing... $

Probably a problem with running full gnomes session within a Xephyr window. If I have time, I will take a look at it. I would hope you could run simpler window sessions there. Not sure if -W metacity would have any effect.

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIl3aoACgkQrlYvE4MpobNHdwCgnImEqlV3SVibTcqC0iR2k4To dpoAoIjJgt+qBmsgdiC0wfw3ZD9FKcZs =FqrX -----END PGP SIGNATURE-----

Reply

2880

days inactive

2891

days old

selinux@lists.fedoraproject.org

Manage subscription

14 comments

3 participants

tags (0)

participants (3)

Alex Roithman
Daniel J Walsh
Fl＠sh