FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-12-2008, 07:27 PM
"Christoph A."
 
Default firefox problems with: browser_confine_unconfined --> on

Hi,

I'm looking forward do confine users (firefox, thunderbird). I played
with xguest_u and I liked the behavior of firefox (home not writeable
except ~/Downloads, ~/.mozilla), but I need other programms
(thunderbird, ssh) to connect to the internet too, so I wanted to try
the usual unconfined_u with browser_confine_unconfined set.

I didn't find mutch about this boolean but I wanted to see, if with this
boolean set, firefox of an unconfined user will behave like firefox of
xguest_u.

After setting the boolean firefox runs in its own domain
(unconfined_mozilla_t) that looks fine.

When I tried to save a picture to see if I can write to ~/ (not
~/Download) firefox hangs (immediately after klicking on "Save Image
As...") and I had to use kill to terminate it.

observing the audit.log file with tail -f shows:

type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93
spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_mozi lla_t:s0 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

If I set browser_confine_unconfined to 0 this problem doesn't occur.

Should firefox (unconfined_mozilla_t) behave like firefox of xguest_u,
or is this boolean for something different?

thanks,
Christoph A.
PS: I'm using FC9.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-13-2008, 12:59 PM
Daniel J Walsh
 
Default firefox problems with: browser_confine_unconfined --> on

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph A. wrote:
> Hi,
>
> I'm looking forward do confine users (firefox, thunderbird). I played
> with xguest_u and I liked the behavior of firefox (home not writeable
> except ~/Downloads, ~/.mozilla), but I need other programms
> (thunderbird, ssh) to connect to the internet too, so I wanted to try
> the usual unconfined_u with browser_confine_unconfined set.
>
> I didn't find mutch about this boolean but I wanted to see, if with this
> boolean set, firefox of an unconfined user will behave like firefox of
> xguest_u.
>
> After setting the boolean firefox runs in its own domain
> (unconfined_mozilla_t) that looks fine.
>
> When I tried to save a picture to see if I can write to ~/ (not
> ~/Download) firefox hangs (immediately after klicking on "Save Image
> As...") and I had to use kill to terminate it.
>
> observing the audit.log file with tail -f shows:
>
> type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81
> auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93
> spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_mozi lla_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>
> If I set browser_confine_unconfined to 0 this problem doesn't occur.
>
> Should firefox (unconfined_mozilla_t) behave like firefox of xguest_u,
> or is this boolean for something different?
>
> thanks,
> Christoph A.
> PS: I'm using FC9.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No this seems like something that should be allowed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgpkM8ACgkQrlYvE4MpobOCiACgk4vyQHqGJv ie0vjD4ShjKxxH
BbUAoK+az0eEtgbIHgda/kQ+U+uNEkxx
=w1OT
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-13-2008, 01:13 PM
"Christoph A."
 
Default firefox problems with: browser_confine_unconfined --> on

Daniel J Walsh wrote:

>> type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81
>> auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>> msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93
>> spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_mozi lla_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

> No this seems like something that should be allowed.

Thank you for your response.

So browser_confine_unconfined=1 is the right way to confine firefox (of
unconfined_u) like firefox of guest_u?

thanks in advance
Christoph A.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-13-2008, 01:25 PM
Daniel J Walsh
 
Default firefox problems with: browser_confine_unconfined --> on

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph A. wrote:
> Daniel J Walsh wrote:
>
>>> type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81
>>> auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
>>> msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93
>>> spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0
>>> tcontext=unconfined_u:unconfined_r:unconfined_mozi lla_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>
>> No this seems like something that should be allowed.
>
> Thank you for your response.
>
> So browser_confine_unconfined=1 is the right way to confine firefox (of
> unconfined_u) like firefox of guest_u?
>
> thanks in advance
> Christoph A.
Well I don't really believe in confining firefox in this way, because of
the transitions available.


You can confine nsplugin though

http://danwalsh.livejournal.com/15700.html


The problem with confining firefox is somewhat covered in this article,
but where it really breaks is in helper applications.

unconfined_mozilla_t runs ooffice and office ends up in
unconfined_mozilla_t but if thunderbird or you launch ooffice directly
it runs unconfined_t and things get confused.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgpltkACgkQrlYvE4MpobPp+wCg6z3HbnsifK E6BJtj4p6qURzF
RMwAnR3yG22YbgnCLOMTaOs5WGkFUrPd
=9QLW
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-13-2008, 02:25 PM
"Christoph A."
 
Default firefox problems with: browser_confine_unconfined --> on

Daniel J Walsh wrote:

> Well I don't really believe in confining firefox in this way, because of
> the transitions available.
>
>
> You can confine nsplugin though
>
> http://danwalsh.livejournal.com/15700.html
>
>
> The problem with confining firefox is somewhat covered in this article,
> but where it really breaks is in helper applications.

Yes, I'm a reader of your blog (thanks for posting this interessting
informations)

> unconfined_mozilla_t runs ooffice and office ends up in
> unconfined_mozilla_t but if thunderbird or you launch ooffice directly
> it runs unconfined_t and things get confused.

For me it would be fine to save a file (pdf, odt, ..) to disk
(~/Downloads) prior to open it with the apropriate program (pdf-reader,
openoffice, ...) in the unconfined_t domain and not starting these
programs directly within firefox.

I admit that normal enduser would not like this extra step just to get
more security.

regards,
Christoph A.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org