Hi,
I'm looking forward do confine users (firefox, thunderbird). I played with xguest_u and I liked the behavior of firefox (home not writeable except ~/Downloads, ~/.mozilla), but I need other programms (thunderbird, ssh) to connect to the internet too, so I wanted to try the usual unconfined_u with browser_confine_unconfined set.
I didn't find mutch about this boolean but I wanted to see, if with this boolean set, firefox of an unconfined user will behave like firefox of xguest_u.
After setting the boolean firefox runs in its own domain (unconfined_mozilla_t) that looks fine.
When I tried to save a picture to see if I can write to ~/ (not ~/Download) firefox hangs (immediately after klicking on "Save Image As...") and I had to use kill to terminate it.
observing the audit.log file with tail -f shows:
type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93 spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_mozilla_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
If I set browser_confine_unconfined to 0 this problem doesn't occur.
Should firefox (unconfined_mozilla_t) behave like firefox of xguest_u, or is this boolean for something different?
thanks, Christoph A. PS: I'm using FC9.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Christoph A. wrote:
Hi,
I'm looking forward do confine users (firefox, thunderbird). I played with xguest_u and I liked the behavior of firefox (home not writeable except ~/Downloads, ~/.mozilla), but I need other programms (thunderbird, ssh) to connect to the internet too, so I wanted to try the usual unconfined_u with browser_confine_unconfined set.
I didn't find mutch about this boolean but I wanted to see, if with this boolean set, firefox of an unconfined user will behave like firefox of xguest_u.
After setting the boolean firefox runs in its own domain (unconfined_mozilla_t) that looks fine.
When I tried to save a picture to see if I can write to ~/ (not ~/Download) firefox hangs (immediately after klicking on "Save Image As...") and I had to use kill to terminate it.
observing the audit.log file with tail -f shows:
type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93 spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_mozilla_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
If I set browser_confine_unconfined to 0 this problem doesn't occur.
Should firefox (unconfined_mozilla_t) behave like firefox of xguest_u, or is this boolean for something different?
thanks, Christoph A. PS: I'm using FC9.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No this seems like something that should be allowed.
Daniel J Walsh wrote:
type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93 spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_mozilla_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
No this seems like something that should be allowed.
Thank you for your response.
So browser_confine_unconfined=1 is the right way to confine firefox (of unconfined_u) like firefox of guest_u?
thanks in advance Christoph A.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Christoph A. wrote:
Daniel J Walsh wrote:
type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.93 spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_mozilla_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
No this seems like something that should be allowed.
Thank you for your response.
So browser_confine_unconfined=1 is the right way to confine firefox (of unconfined_u) like firefox of guest_u?
thanks in advance Christoph A.
Well I don't really believe in confining firefox in this way, because of the transitions available.
You can confine nsplugin though
http://danwalsh.livejournal.com/15700.html
The problem with confining firefox is somewhat covered in this article, but where it really breaks is in helper applications.
unconfined_mozilla_t runs ooffice and office ends up in unconfined_mozilla_t but if thunderbird or you launch ooffice directly it runs unconfined_t and things get confused.
Daniel J Walsh wrote:
Well I don't really believe in confining firefox in this way, because of the transitions available.
You can confine nsplugin though
http://danwalsh.livejournal.com/15700.html
The problem with confining firefox is somewhat covered in this article, but where it really breaks is in helper applications.
Yes, I'm a reader of your blog (thanks for posting this interessting informations)
unconfined_mozilla_t runs ooffice and office ends up in unconfined_mozilla_t but if thunderbird or you launch ooffice directly it runs unconfined_t and things get confused.
For me it would be fine to save a file (pdf, odt, ..) to disk (~/Downloads) prior to open it with the apropriate program (pdf-reader, openoffice, ...) in the unconfined_t domain and not starting these programs directly within firefox.
I admit that normal enduser would not like this extra step just to get more security.
regards, Christoph A.
selinux@lists.fedoraproject.org