Hi, i wrote the simple Qt-wrap for SELinux Sandbox (sandbox utility) and created the ReviewRequest: https://bugzilla.redhat.com/show_bug.cgi?id=999366
I hope that you are interested in it. Maybe someone wish to complete the review or advice about his work.
Fl@sh.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/23/2013 04:11 PM, kaperang07@gmail.com wrote:
Hi, i wrote the simple Qt-wrap for SELinux Sandbox (sandbox utility) and created the ReviewRequest: https://bugzilla.redhat.com/show_bug.cgi?id=999366
I hope that you are interested in it. Maybe someone wish to complete the review or advice about his work.
Fl@sh.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I am not a kde/qt guy. What does this app do? Do you have any screen shots of using it?
On Mon, 26 Aug 2013 14:48:24 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I am not a kde/qt guy. What does this app do? Do you have any screen shots of using it?
It is a simple qt-wrapper of sandbox utility. http://img.flashtux.org/img1332c0a32204x3d62c894.png
It`s a tray applet for using a list of configured jobs, running into sandbox. It run/kill this jobs. Configuration of job is divided into simple sections for user convenience. Terminal applications can runs in the sandboxed terminal, selected by the user. It gives the opportunity to work with such applications interactively. The only difference is the absence of a key "-i", because it is completely replaced by the key "-I" for the file with the list of included files.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/26/2013 03:11 PM, Fl@sh wrote:
On Mon, 26 Aug 2013 14:48:24 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
I am not a kde/qt guy. What does this app do? Do you have any screen shots of using it?
It is a simple qt-wrapper of sandbox utility. http://img.flashtux.org/img1332c0a32204x3d62c894.png
It`s a tray applet for using a list of configured jobs, running into sandbox. It run/kill this jobs. Configuration of job is divided into simple sections for user convenience. Terminal applications can runs in the sandboxed terminal, selected by the user. It gives the opportunity to work with such applications interactively. The only difference is the absence of a key "-i", because it is completely replaced by the key "-I" for the file with the list of included files.
You mispelled "Secuity Level"
Looks good though.
On Mon, 26 Aug 2013 15:30:48 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
You mispelled "Secuity Level"
Could you describe in more detail a cases (or with which keys) in which the Security Level can to be used ? And as I now realize, I should to add into the "Security Level" ComboBox value "Random" (or "Default")?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/27/2013 03:32 PM, Fl@sh wrote:
On Mon, 26 Aug 2013 15:30:48 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
You misspelled "Secuity Level"
Could you describe in more detail a cases (or with which keys) in which the Security Level can to be used ? And as I now realize, I should to add into the "Security Level" ComboBox value "Random" (or "Default")?
Well in most cases Dynamic should be used. If you had a static directory that you wanted to use with a sandbox then you might want to choose a MCS Category to permanently assign to it.
Say you created ~/myfirefoxhome. Then you could assign it the labels s0:c111,c222
chcon -t sandbox_file_t -l s0:c111,c222 ~/myfirefoxhome
Now you would want to allow the user to specify the permanant homedir and the level s0:c111,c222 to run his sandbox.
On Tue, 27 Aug 2013 15:38:55 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
Well in most cases Dynamic should be used. If you had a static directory that you wanted to use with a sandbox then you might want to choose a MCS Category to permanently assign to it.
Say you created ~/myfirefoxhome. Then you could assign it the labels s0:c111,c222
chcon -t sandbox_file_t -l s0:c111,c222 ~/myfirefoxhome
Now you would want to allow the user to specify the permanant homedir and the level s0:c111,c222 to run his sandbox.
That is, if homedir and tempdir labels are different, so must specify labels for each directory? Example: sandbox .... -l s0:c<HomeDir_conext1>,c<HomeDir_conext2> -l s0:c<TempDir_conext1>,c<TempDir_conext2> ...
Let me ask another question: -S - session Run a full desktop session, Requires level, and home and tmpdir.
I understand correctly that level, and home and tmpdir should be strictly defined and sandbox does not generate random directories and default labels?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/29/2013 03:56 AM, Fl@sh wrote:
Let me ask another question: -S - session Run a full desktop session, Requires level, and home and tmpdir.
I understand correctly that level, and home and tmpdir should be strictly defined and sandbox does not generate random directories and default labels?
Yes that is the idea. I actually do not believe you should put this into your gui. It is too advanced a feature and users will screw it up.
On Thu, 29 Aug 2013 08:16:16 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
... I actually do not believe you should put this into your gui. It is too advanced a feature and users will screw it up.
Maybe you're right :D I could not run a sandboxed session in the terminal even. Could you describe in detail everything that need for this? :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/30/2013 06:07 AM, Fl@sh wrote:
On Thu, 29 Aug 2013 08:16:16 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
... I actually do not believe you should put this into your gui. It is too advanced a feature and users will screw it up.
Maybe you're right :D I could not run a sandboxed session in the terminal even. Could you describe in detail everything that need for this? :)
Have not done it for a while. You have to label the home dir and tmp dir with the same label as you are going to run. Then you might need an improved type to get it to start. Don't know if anyone has done it with latest Gnome3 code.
On Fri, 30 Aug 2013 09:39:50 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
Have not done it for a while. You have to label the home dir and tmp dir with the same label as you are going to run. Then you might need an improved type to get it to start.
I`m done:
# chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_HOME # chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_TMP $ ls -Z . | grep 123 -rw-rw-r--. Flash Flash unconfined_u:object_r:user_home_t:s0 123 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP
$ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S
blink X-window, then nothing... $
What i do not so? And what this -- "an IMPROVED TYPE to get it to start" ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/30/2013 02:31 PM, Fl@sh wrote:
On Fri, 30 Aug 2013 09:39:50 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
Have not done it for a while. You have to label the home dir and tmp dir with the same label as you are going to run. Then you might need an improved type to get it to start.
I`m done:
# chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_HOME # chcon -t sandbox_file_t -l s0:c123,c456 /home/Flash/Example_TMP $ ls -Z . | grep 123 -rw-rw-r--. Flash Flash unconfined_u:object_r:user_home_t:s0 123 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP
$ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S
blink X-window, then nothing... $
What i do not so? And what this -- "an IMPROVED TYPE to get it to start" ?
Try it in permissive mode.
On Fri, 30 Aug 2013 16:07:43 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
...
Try it in permissive mode.
Unfortunately, does not work in this mode too. :(
$ ls -Z . | grep 456 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP $ su -c getenforce Permissive $ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S
blink X-window, then nothing... $
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/31/2013 04:54 AM, Fl@sh wrote:
On Fri, 30 Aug 2013 16:07:43 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
...
Try it in permissive mode.
Unfortunately, does not work in this mode too. :(
$ ls -Z . | grep 456 drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_HOME drwxrwxr-x. Flash Flash unconfined_u:object_r:sandbox_file_t:s0:c123,c456 Example_TMP $ su -c getenforce Permissive $ /usr/bin/sandbox -s -d 96 -l s0:c123,c456 -X -H /home/Flash/Example_HOME -T /home/Flash/Example_TMP -I /home/Flash/.config/se-sandbox-runner/tyututiu_90.included -W kwin -w 1000x700 -t sandbox_x_t -S
blink X-window, then nothing... $
Probably a problem with running full gnomes session within a Xephyr window. If I have time, I will take a look at it. I would hope you could run simpler window sessions there. Not sure if -W metacity would have any effect.
selinux@lists.fedoraproject.org
-
Alex Roithman -
Daniel J Walsh -
Fl@sh