FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-13-2012, 05:33 AM
Robin Green
 
Default Allowing access to session dbus from sandbox

I would like to allow chromium within a sandbox to access KWallet
running in KDE outside the sandbox, so that

(a) my website passwords cannot be directly read from within a sandbox
- access must be mediated by KWallet, which can prompt me for my
KWallet password to confirm. So if I am prompted by KWallet while on a
web page without a saved password, I will know something is amiss.
(b) my website passwords are shared between sandboxes

I say chromium because Firefox does not use an external wallet service.

I've got part-way there. Here is what I've done so far:

I found out that KWallet uses dbus to communicate (specifically, the
session bus, because it's a desktop daemon). Because the dbus session
bus is by default a unix socket in /tmp, which would be hidden by
seunshare, I created /etc/dbus-1/session-local.conf as follows:

<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

<listen>unix:tmpdir=/dev/shm</listen>

</busconfig>

and logged out and logged back in again in order to restart the session bus.

I then passed the dbus socket name into the sandbox at creation time using

env DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
xterm

as the command for sandbox to run.

To run chromium I used

chromium-browser --no-sandbox --password-store=kwallet

A couple of iterations of audit2allow and semodule -i later, I had
this policy module installed:

allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket connectto;
allow sandbox_web_client_t config_usr_t:dir read;
allow sandbox_web_client_t unconfined_t:unix_stream_socket connectto;

but chromium is still outputting to the terminal this when it tries to
communicate with KWallet:

** (exe:9107): WARNING **:
GDBus.Errorrg.freedesktop.DBus.Error.AccessDenie d: An SELinux policy
prevents this sender from sending this message to this recipient, 0
matched rules; type="method_call", sender="(null)" (inactive)
interface="org.freedesktop.DBus" member="Hello" error name="(unset)"
requested_reply="0" destination="org.freedesktop.DBus" (bus)

I can't find relevant entries in /var/log/audit.log at first glance,
so maybe these are checks done by the dbus daemon itself, rather than
the kernel.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-13-2012, 12:40 PM
Dominick Grift
 
Default Allowing access to session dbus from sandbox

On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote:
> I would like to allow chromium within a sandbox to access KWallet
> running in KDE outside the sandbox, so that
>
> (a) my website passwords cannot be directly read from within a sandbox
> - access must be mediated by KWallet, which can prompt me for my
> KWallet password to confirm. So if I am prompted by KWallet while on a
> web page without a saved password, I will know something is amiss.
> (b) my website passwords are shared between sandboxes
>
> I say chromium because Firefox does not use an external wallet service.
>
> I've got part-way there. Here is what I've done so far:
>
> I found out that KWallet uses dbus to communicate (specifically, the
> session bus, because it's a desktop daemon). Because the dbus session
> bus is by default a unix socket in /tmp, which would be hidden by
> seunshare, I created /etc/dbus-1/session-local.conf as follows:
>
> <!DOCTYPE busconfig PUBLIC
> "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
> "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> <busconfig>
>
> <listen>unix:tmpdir=/dev/shm</listen>
>
> </busconfig>
>
> and logged out and logged back in again in order to restart the session bus.
>
> I then passed the dbus socket name into the sandbox at creation time using
>
> env DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
> xterm
>
> as the command for sandbox to run.
>
> To run chromium I used
>
> chromium-browser --no-sandbox --password-store=kwallet
>
> A couple of iterations of audit2allow and semodule -i later, I had
> this policy module installed:
>
> allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket connectto;
> allow sandbox_web_client_t config_usr_t:dir read;
> allow sandbox_web_client_t unconfined_t:unix_stream_socket connectto;
>
> but chromium is still outputting to the terminal this when it tries to
> communicate with KWallet:
>
> ** (exe:9107): WARNING **:
> GDBus.Errorrg.freedesktop.DBus.Error.AccessDenie d: An SELinux policy
> prevents this sender from sending this message to this recipient, 0
> matched rules; type="method_call", sender="(null)" (inactive)
> interface="org.freedesktop.DBus" member="Hello" error name="(unset)"
> requested_reply="0" destination="org.freedesktop.DBus" (bus)
>
> I can't find relevant entries in /var/log/audit.log at first glance,
> so maybe these are checks done by the dbus daemon itself, rather than
> the kernel.

Also check /var/log/messages, dbus related avc denials go all over the
place.

If you allow this then you probably allow your sandbox to dbus chat to
any user application running in the user domain

If you confine kwallet then you should be able to restrict your sandbox
to only chat to kwallet via dbus.



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-13-2012, 05:10 PM
Daniel J Walsh
 
Default Allowing access to session dbus from sandbox

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2012 08:40 AM, Dominick Grift wrote:
>
>
> On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote:
>> I would like to allow chromium within a sandbox to access KWallet running
>> in KDE outside the sandbox, so that
>>
>> (a) my website passwords cannot be directly read from within a sandbox -
>> access must be mediated by KWallet, which can prompt me for my KWallet
>> password to confirm. So if I am prompted by KWallet while on a web page
>> without a saved password, I will know something is amiss. (b) my website
>> passwords are shared between sandboxes
>>
>> I say chromium because Firefox does not use an external wallet service.
>>
>> I've got part-way there. Here is what I've done so far:
>>
>> I found out that KWallet uses dbus to communicate (specifically, the
>> session bus, because it's a desktop daemon). Because the dbus session bus
>> is by default a unix socket in /tmp, which would be hidden by seunshare,
>> I created /etc/dbus-1/session-local.conf as follows:
>>
>> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
>> 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
>> <busconfig>
>>
>> <listen>unix:tmpdir=/dev/shm</listen>
>>
>> </busconfig>
>>
>> and logged out and logged back in again in order to restart the session
>> bus.
>>
>> I then passed the dbus socket name into the sandbox at creation time
>> using
>>
>> env
>> DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
>>
>>
xterm
>>
>> as the command for sandbox to run.
>>
>> To run chromium I used
>>
>> chromium-browser --no-sandbox --password-store=kwallet
>>
>> A couple of iterations of audit2allow and semodule -i later, I had this
>> policy module installed:
>>
>> allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket
>> connectto; allow sandbox_web_client_t config_usr_t:dir read; allow
>> sandbox_web_client_t unconfined_t:unix_stream_socket connectto;
>>
>> but chromium is still outputting to the terminal this when it tries to
>> communicate with KWallet:
>>
>> ** (exe:9107): WARNING **:
>> GDBus.Errorrg.freedesktop.DBus.Error.AccessDenie d: An SELinux policy
>> prevents this sender from sending this message to this recipient, 0
>> matched rules; type="method_call", sender="(null)" (inactive)
>> interface="org.freedesktop.DBus" member="Hello" error name="(unset)"
>> requested_reply="0" destination="org.freedesktop.DBus" (bus)
>>
>> I can't find relevant entries in /var/log/audit.log at first glance, so
>> maybe these are checks done by the dbus daemon itself, rather than the
>> kernel.
>
> Also check /var/log/messages, dbus related avc denials go all over the
> place.
>
> If you allow this then you probably allow your sandbox to dbus chat to any
> user application running in the user domain
>
> If you confine kwallet then you should be able to restrict your sandbox to
> only chat to kwallet via dbus.
>
>
>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Yes I would figure this is dbus blocking the communication. Dbus session bus
would not be allowed to write to /var/log/audit/audit.log, so I believe
messages would end up in /var/log/messages.

This is an interesting use case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlApNP0ACgkQrlYvE4MpobMTCwCgmnONDGhKqU 6/rCXj5NofrcXN
izUAnRTZZOum2m0a5V/2b5jtR//AUJKO
=L/ET
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org