sandbox: changed handling of /tmp (2.0.83-33.7.fc13.x86_64)
Christoph A.
casmls at gmail.com
Sat Mar 26 19:32:04 UTC 2011
Hi,
this post might be of interest for you if since today's update in F13
specific sandboxes are no longer working.
I used to open files from the internet via sandboxes.
For example firefox uses the following bash script to open pdf files:
#!/bin/bash
sandbox -X -w 1432x821 evince "$*"
This is from originally from Dan's blog:
http://danwalsh.livejournal.com/31247.html?thread=214031
Since today, this no longer works due to changes in the handling of /tmp
(firefox stores the downloaded file in /tmp).
Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
The changes mention the handling of /tmp:
"fix to sandbox - Fix seunshare to use more secure handling of /tmp -
Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?_csrf_token=84bda4a48f7b567fc380f85773927246eb5a0b17
which is probably related to Tavis Ormandy's post on FD
http://seclists.org/fulldisclosure/2011/Feb/585
I worked around the issue and modified the bash script:
#!/bin/bash
cp "$*" ~/.tmp
sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`"
rm /home/user/.tmp/*
This quick hack works for me, but maybe there is a nicer way ;)
kind regards,
Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110326/98c022b3/attachment.bin
More information about the selinux
mailing list