Hi,
I'm using firefox in a sandbox.
It doesn't work anymore since today:
sandbox -X -t sandbox_web_t firefox Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted
My installed versions:
policycoreutils-sandbox-2.2.5-3.fc20.x86_64 selinux-policy-targeted-3.12.1-153.fc20.noarch libselinux-2.2.1-6.fc20.x86_64 libselinux-python-2.2.1-6.fc20.x86_64 libselinux-utils-2.2.1-6.fc20.x86_64 selinux-policy-3.12.1-153.fc20.noarch
Anyone having the same problem? Or a fix?
thanks! Robert
There is a libcap-ng package fix that broke it, I believe it is being reverted for now, and we are working to figure out a proper fix to make SELinux Sandbox and libcap-ng play well together.
On 05/01/2014 09:22 AM, Robert Horovitz wrote:
Hi,
I'm using firefox in a sandbox.
It doesn't work anymore since today:
sandbox -X -t sandbox_web_t firefox Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted
My installed versions:
policycoreutils-sandbox-2.2.5-3.fc20.x86_64 selinux-policy-targeted-3.12.1-153.fc20.noarch libselinux-2.2.1-6.fc20.x86_64 libselinux-python-2.2.1-6.fc20.x86_64 libselinux-utils-2.2.1-6.fc20.x86_64 selinux-policy-3.12.1-153.fc20.noarch
Anyone having the same problem? Or a fix?
thanks! Robert
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
There is a libcap-ng package fix that broke it, I believe it is being reverted for now, and we are working to figure out a proper fix to make SELinux Sandbox and libcap-ng play well together.
I hope that broken libcap-ng 0.7.4 gets removed soon, that ping-pong game is annoying
grep libcap-ng /var/log/yum.log May 01 10:18:37 Updated: libcap-ng.x86_64 0.7.4-1.fc20 May 01 20:08:31 Installed: libcap-ng-0.7.3-6.fc20.x86_64 May 01 20:18:35 Updated: libcap-ng.x86_64 0.7.4-1.fc20 May 03 10:37:01 Installed: libcap-ng-0.7.3-6.fc20.x86_64 May 04 10:32:48 Updated: libcap-ng-0.7.4-1.fc20.x86_64 May 04 22:49:35 Installed: libcap-ng-0.7.3-6.fc20.x86_64 May 04 23:07:04 Updated: libcap-ng.x86_64 0.7.4-1.fc20 May 06 05:12:00 Installed: libcap-ng-0.7.3-6.fc20.x86_64 May 06 05:31:59 Updated: libcap-ng.x86_64 0.7.4-1.fc20
There is a libcap-ng package fix that broke it, I believe it is being reverted for now, and we are working to figure out a proper fix to make SELinux Sandbox and libcap-ng play well together.
I just saw that it has NOT been reverted and it was even pushed to stable!
Now that it is in stable already I guess my comment here is not useful anymore:
https://admin.fedoraproject.org/updates/FEDORA-2014-5589/libcap-ng-0.7.4-1.f...
Should I file a bug against the selinux or the libcap-ng part?
As a workaround I downgraded and added the following line to my yum.conf:
exclude=libcap-ng*
I find it quite sad that no one seems to care about the broken sandbox functionality at all.
On 05/10/2014 12:44 AM, Robert Horovitz wrote:
There is a libcap-ng package fix that broke it, I believe it is being reverted for now, and we are working to figure out a proper fix to make SELinux Sandbox and libcap-ng play well together.
I just saw that it has NOT been reverted and it was even pushed to stable!
Now that it is in stable already I guess my comment here is not useful anymore:
https://admin.fedoraproject.org/updates/FEDORA-2014-5589/libcap-ng-0.7.4-1.f...
Should I file a bug against the selinux or the libcap-ng part?
As a workaround I downgraded and added the following line to my yum.conf:
exclude=libcap-ng*
I find it quite sad that no one seems to care about the broken sandbox functionality at all.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Please update to the latest selinux-policy-sandbox and policycoreutils-sandbox from updates-testing.
# yum update selinux-policy-sandbox policycoreutils-sandbox --enablerepo=updates-testing
# yum update selinux-policy-sandbox policycoreutils-sandbox --enablerepo=updates-testing
selinux-policy-sandbox was not present on my system, I installed it now.
rpm -qa *sandbox selinux-policy-sandbox-3.12.1-161.fc20.noarch policycoreutils-sandbox-2.2.5-4.fc20.x86_64
It still doesn't work:
sandbox -X -t sandbox_web_t firefox Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted
going to downgrade libcap-ng again...
On 05/13/2014 08:49 PM, Robert Horovitz wrote:
# yum update selinux-policy-sandbox policycoreutils-sandbox --enablerepo=updates-testing
selinux-policy-sandbox was not present on my system, I installed it now.
rpm -qa *sandbox selinux-policy-sandbox-3.12.1-161.fc20.noarch policycoreutils-sandbox-2.2.5-4.fc20.x86_64
It still doesn't work:
sandbox -X -t sandbox_web_t firefox Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted
going to downgrade libcap-ng again...
Yes, I apologize.
You need to install the latest selinux-policy-targeted and selinux-policy pkgs from
http://koji.fedoraproject.org/koji/buildinfo?buildID=516627
or from updates-testing repo.
Miroslav Grepl:
On 05/13/2014 08:49 PM, Robert Horovitz wrote:
# yum update selinux-policy-sandbox policycoreutils-sandbox --enablerepo=updates-testing
selinux-policy-sandbox was not present on my system, I installed it now.
rpm -qa *sandbox selinux-policy-sandbox-3.12.1-161.fc20.noarch policycoreutils-sandbox-2.2.5-4.fc20.x86_64
It still doesn't work:
sandbox -X -t sandbox_web_t firefox Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted
going to downgrade libcap-ng again...
Yes, I apologize.
You need to install the latest selinux-policy-targeted and selinux-policy pkgs from
http://koji.fedoraproject.org/koji/buildinfo?buildID=516627
or from updates-testing repo.
does not work for me, but the error is different, now I get AVCs.
type=AVC msg=audit(1400172843.275:385): avc: denied { connectto } for pid=24118 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c190,c873 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket
does not work for me, but the error is different, now I get AVCs.
type=AVC msg=audit(1400172843.275:385): avc: denied { connectto } for pid=24118 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c190,c873 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket
To come back to this topic, which now is fairly old, I tried to add some rules to the policy in an own module.
I'm on a fairly up-to-date system: selinux-policy-sandbox-3.12.1-179.fc20.noarch selinux-policy-doc-3.12.1-179.fc20.noarch libpcap-1.5.3-1.fc20.x86_64 selinux-policy-devel-3.12.1-179.fc20.noarch selinux-policy-targeted-3.12.1-179.fc20.noarch selinux-policy-3.12.1-179.fc20.noarch
I did the following additions: require { type sandbox_web_t; type xserver_misc_device_t; type rtkit_daemon_t; type sound_device_t; type mozilla_plugin_t; class process setrlimit; class netlink_kobject_uevent_socket create; class file { read }; class chr_file { open read write getattr }; class dbus send_msg; class sem { unix_read unix_write }; }
#============= sandbox_web_t ============== corenet_tcp_connect_http_port(sandbox_web_t) corenet_tcp_connect_xserver_port(sandbox_web_t) xserver_non_drawing_client(sandbox_web_t) userdom_rw_inherited_user_tmpfs_files(sandbox_web_t) userdom_manage_tmpfs_files(sandbox_web_t) allow sandbox_web_t sound_device_t:chr_file { open read }; # dontaudit sandbox_web_t rtkit_daemon_t:dbus send_msg; dontaudit sandbox_web_t self:netlink_kobject_uevent_socket create; dontaudit sandbox_web_t self:process setrlimit; dontaudit sandbox_web_t xserver_misc_device_t:chr_file { read write getattr }; dontaudit mozilla_plugin_t sandbox_web_t:sem { unix_read unix_write };
I'm not sure about the userdom tmpfs things, but with this sandbox -X runs fairly well a firefox session with plugins.
Is this too open for a sandbox?
Klaus
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Klaus Lichtenwalder -
Miroslav Grepl -
Robert Horovitz