3:11 p.m.
Hi,
i wrote the simple Qt-wrap for SELinux Sandbox (sandbox utility) and created the
ReviewRequest:
https://bugzilla.redhat.com/show_bug.cgi?id=999366
I hope that you are interested in it. Maybe someone wish to complete the review or advice
about his work.
Fl@sh.
1:48 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/23/2013 04:11 PM, kaperang07(a)gmail.com wrote:
Hi, i wrote the simple Qt-wrap for SELinux Sandbox (sandbox utility)
and
created the ReviewRequest:
https://bugzilla.redhat.com/show_bug.cgi?id=999366
I hope that you are interested in it. Maybe someone wish to complete the
review or advice about his work.
Fl@sh.
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I am not a kde/qt guy. What does this app do? Do you have any screen shots
of using it?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIbovgACgkQrlYvE4MpobM8sgCfT4FQ/hKBpf9NvXf9yETSoX62
8WgAn3kknv+UE/oGcdfRgJcUBfqGMSkO
=tn1i
-----END PGP SIGNATURE-----
2:11 p.m.
On Mon, 26 Aug 2013 14:48:24 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
I am not a kde/qt guy. What does this app do? Do you have any
screen shots
of using it?
It is a simple qt-wrapper of sandbox utility.
http://img.flashtux.org/img1332c0a32204x3d62c894.png
It`s a tray applet for using a list of configured jobs,
running into sandbox. It run/kill this jobs.
Configuration of job is divided into simple sections for
user convenience.
Terminal applications can runs in the sandboxed terminal,
selected by the user. It gives the opportunity to work with
such applications interactively.
The only difference is the absence of a key "-i", because it
is completely replaced by the key "-I" for the file with the
list of included files.
--
Fl@sh
2:30 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/26/2013 03:11 PM, Fl@sh wrote:
On Mon, 26 Aug 2013 14:48:24 -0400 Daniel J Walsh
<dwalsh(a)redhat.com>
wrote:
> I am not a kde/qt guy. What does this app do? Do you have any screen
> shots of using it?
It is a simple qt-wrapper of sandbox utility.
http://img.flashtux.org/img1332c0a32204x3d62c894.png
It`s a tray applet for using a list of configured jobs, running into
sandbox. It run/kill this jobs. Configuration of job is divided into simple
sections for user convenience. Terminal applications can runs in the
sandboxed terminal, selected by the user. It gives the opportunity to work
with such applications interactively. The only difference is the absence of
a key "-i", because it is completely replaced by the key "-I" for the
file
with the list of included files.
You mispelled "Secuity Level"
Looks good though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIbrOgACgkQrlYvE4MpobNwFQCg0YtlKfWqM5foGfyhc3FS1W/V
I1AAoOTBXDu3eZ2ArEOGY92hvAqLYQHm
=qh5G
-----END PGP SIGNATURE-----
2:32 p.m.
On Mon, 26 Aug 2013 15:30:48 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
You mispelled "Secuity Level"
Could you describe in more detail a cases (or with which
keys) in which the Security Level can to be used ?
And as I now realize, I should to add into the "Security Level"
ComboBox value "Random" (or "Default")?
--
Fl@sh
2:38 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/27/2013 03:32 PM, Fl@sh wrote:
On Mon, 26 Aug 2013 15:30:48 -0400 Daniel J Walsh
<dwalsh(a)redhat.com>
wrote:
> You misspelled "Secuity Level"
>
Could you describe in more detail a cases (or with which keys) in which the
Security Level can to be used ? And as I now realize, I should to add into
the "Security Level" ComboBox value "Random" (or
"Default")?
Well in most cases Dynamic should be used. If you had a static directory that
you wanted to use with a sandbox then you might want to choose a MCS Category
to permanently assign to it.
Say you created ~/myfirefoxhome. Then you could assign it the labels s0:c111,c222
chcon -t sandbox_file_t -l s0:c111,c222 ~/myfirefoxhome
Now you would want to allow the user to specify the permanant homedir and the
level s0:c111,c222 to run his sandbox.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIdAE8ACgkQrlYvE4MpobPi2wCeI18+c0LLZbmd+PugwiXJCvkV
2MYAn1E+Tu+1MWF+FFwDxWM9MmpkHleE
=q2BH
-----END PGP SIGNATURE-----
3:40 a.m.
On Tue, 27 Aug 2013 15:38:55 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
Well in most cases Dynamic should be used. If you had a static
directory that
you wanted to use with a sandbox then you might want to choose a MCS Category
to permanently assign to it.
Say you created ~/myfirefoxhome. Then you could assign it the labels s0:c111,c222
chcon -t sandbox_file_t -l s0:c111,c222 ~/myfirefoxhome
Now you would want to allow the user to specify the permanant homedir and the
level s0:c111,c222 to run his sandbox.
That is, if homedir and tempdir labels are
different, so
must specify labels for each directory?
Example:
sandbox .... -l s0:c<HomeDir_conext1>,c<HomeDir_conext2>
-l s0:c<TempDir_conext1>,c<TempDir_conext2> ...
--
Fl@sh
2:56 a.m.
Let me ask another question:
-S - session
Run a full desktop session, Requires level, and
home and tmpdir.
I understand correctly that level, and home and tmpdir should
be strictly defined and sandbox does not generate random
directories and default labels?
--
Fl@sh
7:16 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/29/2013 03:56 AM, Fl@sh wrote:
Let me ask another question: -S - session Run a full desktop
session,
Requires level, and home and tmpdir.
I understand correctly that level, and home and tmpdir should be strictly
defined and sandbox does not generate random directories and default
labels?
Yes that is the idea. I actually do not believe you should put this into your
gui. It is too advanced a feature and users will screw it up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIfO5AACgkQrlYvE4MpobP+sQCgymFg/kKkFsuMUUNj/VDTdi4C
sGUAoJNnO8az2Q903XyWv0CLH4NpzHVI
=pLf4
-----END PGP SIGNATURE-----
5:07 a.m.
On Thu, 29 Aug 2013 08:16:16 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
... I actually do not believe you should put this into your
gui. It is too advanced a feature and users will screw it up.
Maybe you're right :D
I could not run a sandboxed session in the terminal even.
Could you describe in detail everything that need for
this? :)
--
Fl@sh
8:39 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/30/2013 06:07 AM, Fl@sh wrote:
On Thu, 29 Aug 2013 08:16:16 -0400 Daniel J Walsh
<dwalsh(a)redhat.com>
wrote:
> ... I actually do not believe you should put this into your gui. It is
> too advanced a feature and users will screw it up.
Maybe you're right :D I could not run a sandboxed session in the terminal
even. Could you describe in detail everything that need for this? :)
Have not done it for a while. You have to label the home dir and tmp dir with
the same label as you are going to run. Then you might need an improved type
to get it to start. Don't know if anyone has done it with latest Gnome3 code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIgoKYACgkQrlYvE4MpobOIagCffcKdQLaEeNIKvIirvoLt79+4
uG8An35wV3fKm+Fx6yY4zCSHv7P4rA+1
=6gKH
-----END PGP SIGNATURE-----
1:31 p.m.
On Fri, 30 Aug 2013 09:39:50 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
Have not done it for a while. You have to label the home dir and tmp
dir with
the same label as you are going to run. Then you might need an improved type
to get it to start.
I`m done:
# chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_HOME
# chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_TMP
$ ls -Z . | grep 123
-rw-rw-r--. Flash Flash unconfined_u:object_r:user_home_t:s0
123 drwxrwxr-x. Flash Flash
unconfined_u:object_r:sandbox_file_t:s0:c123,c456
Example_HOME drwxrwxr-x. Flash Flash
unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP
$ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X
-H /home/Flash/Example_HOME -T /home/Flash/Example_TMP
-I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included
-W kwin -w 1000x700 -t sandbox_x_t -S
blink X-window, then nothing...
$
What i do not so?
And what this -- "an IMPROVED TYPE to get it to start" ?
--
Fl@sh
3:07 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/30/2013 02:31 PM, Fl@sh wrote:
On Fri, 30 Aug 2013 09:39:50 -0400 Daniel J Walsh
<dwalsh(a)redhat.com>
wrote:
> Have not done it for a while. You have to label the home dir and tmp dir
> with the same label as you are going to run. Then you might need an
> improved type to get it to start.
I`m done:
# chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_HOME # chcon
-t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_TMP $ ls -Z . | grep
123 -rw-rw-r--. Flash Flash unconfined_u:object_r:user_home_t:s0 123
drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456
Example_HOME drwxrwxr-x. Flash Flash
unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP
$ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME
-T /home/Flash/Example_TMP -I
/home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w
1000x700 -t sandbox_x_t -S
blink X-window, then nothing... $
What i do not so? And what this -- "an IMPROVED TYPE to get it to start" ?
Try it in permissive mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIg+48ACgkQrlYvE4MpobP37ACgpYfQxX1Jx8zRKFPAwJYKC6vR
ZGEAoLFRyplUn3UkzKNuaREbZeBvPo+L
=sKr5
-----END PGP SIGNATURE-----
3:54 a.m.
On Fri, 30 Aug 2013 16:07:43 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
...
>
Try it in permissive mode.
Unfortunately, does not work in this mode too. :(
$ ls -Z . | grep 456
drwxrwxr-x. Flash Flash
unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME
drwxrwxr-x. Flash Flash
unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP
$ su -c getenforce
Permissive
$ /usr/bin/sandbox -s -d 96 -l
s0:c123,c456 -X -H /home/Flash/Example_HOME
-T /home/Flash/Example_TMP
-I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included
-W kwin -w 1000x700 -t sandbox_x_t -S
blink X-window, then nothing...
$
--
Fl@sh
8:01 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/31/2013 04:54 AM, Fl@sh wrote:
On Fri, 30 Aug 2013 16:07:43 -0400 Daniel J Walsh
<dwalsh(a)redhat.com>
wrote:
...
>>
> Try it in permissive mode.
>
Unfortunately, does not work in this mode too. :(
$ ls -Z . | grep 456 drwxrwxr-x. Flash Flash
unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x.
Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP $
su -c getenforce Permissive $ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X
-H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I
/home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w
1000x700 -t sandbox_x_t -S
blink X-window, then nothing... $
Probably a problem with running full gnomes session within a Xephyr window.
If I have time, I will take a look at it. I would hope you could run simpler
window sessions there. Not sure if -W metacity would have any effect.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIl3aoACgkQrlYvE4MpobNHdwCgnImEqlV3SVibTcqC0iR2k4To
dpoAoIjJgt+qBmsgdiC0wfw3ZD9FKcZs
=FqrX
-----END PGP SIGNATURE-----
2740
days inactive
2751
days old
selinux@lists.fedoraproject.org
14 comments
3 participants
participants (3)
-
Alex Roithman -
Daniel J Walsh -
Fl@sh