-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
is someone successfully running Thunderbird in a sandbox including Enigmail Extension and GPG support?
When starting Thunderbird: sandbox -X -t sandbox_net_t -H tb thunderbird
I get the following "OpenPGP Alert":
"Could not start the gpg-agent program which is needed for you GnuPG version denied."
thanks, Christoph
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/03/2011 09:10 PM, Christoph A. wrote:
Hi,
is someone successfully running Thunderbird in a sandbox including Enigmail Extension and GPG support?
When starting Thunderbird: sandbox -X -t sandbox_net_t -H tb thunderbird
I get the following "OpenPGP Alert":
"Could not start the gpg-agent program which is needed for you GnuPG version denied."
thanks, Christoph
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What avc are you seeing. Most likely we should just allow the access.
I have not tried to run thunderbird within a sandbox.
But I would be willing to work with you to setup correct policy. Maybe we could create a new type just to allow the email client application.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/06/2011 05:33 PM, Daniel J Walsh wrote:
What avc are you seeing. Most likely we should just allow the access.
I'm not seeing any AVCs. I suppose there are dontaudit rules for the sandbox types?
I have not tried to run thunderbird within a sandbox.
But I would be willing to work with you to setup correct policy. Maybe we could create a new type just to allow the email client application.
That would be great.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/06/2011 11:39 AM, Christoph A. wrote:
On 06/06/2011 05:33 PM, Daniel J Walsh wrote:
What avc are you seeing. Most likely we should just allow the access.
I'm not seeing any AVCs. I suppose there are dontaudit rules for the sandbox types?
I have not tried to run thunderbird within a sandbox.
But I would be willing to work with you to setup correct policy. Maybe we could create a new type just to allow the email client application.
That would be great.
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well first you probably need to suck in .gnupg directory. I would figure without that directory in the sandbox, would fail.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/06/2011 05:58 PM, Daniel J Walsh wrote:
Well first you probably need to suck in .gnupg directory. I would figure without that directory in the sandbox, would fail.
..having the same clue I did try -i ~/.gnupg but that didn't resolve the issue.
And Thunderbird within the sandbox should have their own set of gpg keys. (persistent sandbox) If ~/.gnupg doesn't exist within the sandbox it should be generated.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/06/2011 05:33 PM, Daniel J Walsh wrote:
What avc are you seeing. Most likely we should just allow the access.
Is sandbox_net_t allowed to access/execute gpg_agent_exec_t and gpg_exec_t files?
ll -Z `which gpg-agent ` - -rwxr-xr-x. root root system_u:object_r:gpg_agent_exec_t:s0 /usr/bin/gpg-agent
ll -Z `which gpg ` - -rwxr-xr-x. root root system_u:object_r:gpg_exec_t:s0 /usr/bin/gpg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/06/2011 12:11 PM, Christoph A. wrote:
On 06/06/2011 05:33 PM, Daniel J Walsh wrote:
What avc are you seeing. Most likely we should just allow the access.
Is sandbox_net_t allowed to access/execute gpg_agent_exec_t and gpg_exec_t files?
ll -Z `which gpg-agent ` -rwxr-xr-x. root root system_u:object_r:gpg_agent_exec_t:s0 /usr/bin/gpg-agent
ll -Z `which gpg ` -rwxr-xr-x. root root system_u:object_r:gpg_exec_t:s0 /usr/bin/gpg
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes
sesearch -A -s sandbox_net_t -t gpg_exec_t WARNING: Policy would be downgraded from version 26 to 25. Found 3 semantic av rules: allow sandbox_x_domain file_type : file entrypoint ; allow sandbox_x_domain exec_type : file { ioctl read getattr lock execute execute_no_trans open } ; allow sandbox_x_domain exec_type : lnk_file { read getattr } ;
sesearch -A -s sandbox_net_t -t gpg_agent_exec_t WARNING: Policy would be downgraded from version 26 to 25. Found 3 semantic av rules: allow sandbox_x_domain file_type : file entrypoint ; allow sandbox_x_domain exec_type : file { ioctl read getattr lock execute execute_no_trans open } ; allow sandbox_x_domain exec_type : lnk_file { read getattr } ;
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/04/2011 03:10 AM, Christoph A. wrote:
"Could not start the gpg-agent program which is needed for you GnuPG version denied."
starting thunderbird with gpg-agent like this: sandbox -X -t sandbox_net_t -H tb gpg-agent --daemon thunderbird
seams to solve the first error.
Next error: Error - encryption command failed /usr/bin/gpg --charset utf8 .... --list-secret-keys gpg: fatal: can't disable core dumps: Permission denied secmem usage: 0/0 bytes in 0/0 blocks of pool 0/0
getsebool -a|grep -i dump allow_daemons_dump_core --> on
So gpg is not allowed to disable coredumps. Is this a policy bug? (no AVCs) How can I allow gpg to disable core dumps?
http://lists.cistron.nl/pipermail/freeradius-users/2010-June/msg00705.html
http://www.gossamer-threads.com/lists/gnupg/users/38475
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/06/2011 09:23 PM, Christoph A. wrote:
On 06/04/2011 03:10 AM, Christoph A. wrote:
"Could not start the gpg-agent program which is needed for you GnuPG version denied."
starting thunderbird with gpg-agent like this: sandbox -X -t sandbox_net_t -H tb gpg-agent --daemon thunderbird
seams to solve the first error.
Next error: Error - encryption command failed /usr/bin/gpg --charset utf8 .... --list-secret-keys gpg: fatal: can't disable core dumps: Permission denied secmem usage: 0/0 bytes in 0/0 blocks of pool 0/0
getsebool -a|grep -i dump allow_daemons_dump_core --> on
So gpg is not allowed to disable coredumps. Is this a policy bug? (no AVCs) How can I allow gpg to disable core dumps?
something similar to [1] is probably needed for sandbox_net_t too.
allow sandbox_net_t self:process setrlimit; correct?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=610812
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/06/2011 03:32 PM, Christoph A. wrote:
On 06/06/2011 09:23 PM, Christoph A. wrote:
On 06/04/2011 03:10 AM, Christoph A. wrote:
"Could not start the gpg-agent program which is needed for you GnuPG version denied."
starting thunderbird with gpg-agent like this: sandbox -X -t sandbox_net_t -H tb gpg-agent --daemon thunderbird
seams to solve the first error.
Next error: Error - encryption command failed /usr/bin/gpg --charset utf8 .... --list-secret-keys gpg: fatal: can't disable core dumps: Permission denied secmem usage: 0/0 bytes in 0/0 blocks of pool 0/0
getsebool -a|grep -i dump allow_daemons_dump_core --> on
So gpg is not allowed to disable coredumps. Is this a policy bug? (no AVCs) How can I allow gpg to disable core dumps?
something similar to [1] is probably needed for sandbox_net_t too.
allow sandbox_net_t self:process setrlimit; correct?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I am not sure what the ramifications of allowing a sandbox app to modify its hard limits. Currently no sandboxes are allowed this access. You can add a custom policy to allow this.
I guess if you or someone else can make a compelling argument I can add this access or a boolean to add this access.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/07/2011 02:51 PM, Daniel J Walsh wrote:
I am not sure what the ramifications of allowing a sandbox app to modify its hard limits. Currently no sandboxes are allowed this access.
I'll see if I can find a way to run gpg without allowing setrlimit.
selinux@lists.fedoraproject.org