[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: Allowing access to session dbus from sandbox
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2012-08-13 17:10:21
Message-ID: 502934FD.6040307 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/13/2012 08:40 AM, Dominick Grift wrote:
>
>
> On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote:
>> I would like to allow chromium within a sandbox to access KWallet running
>> in KDE outside the sandbox, so that
>>
>> (a) my website passwords cannot be directly read from within a sandbox -
>> access must be mediated by KWallet, which can prompt me for my KWallet
>> password to confirm. So if I am prompted by KWallet while on a web page
>> without a saved password, I will know something is amiss. (b) my website
>> passwords are shared between sandboxes
>>
>> I say chromium because Firefox does not use an external wallet service.
>>
>> I've got part-way there. Here is what I've done so far:
>>
>> I found out that KWallet uses dbus to communicate (specifically, the
>> session bus, because it's a desktop daemon). Because the dbus session bus
>> is by default a unix socket in /tmp, which would be hidden by seunshare,
>> I created /etc/dbus-1/session-local.conf as follows:
>>
>> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
>> 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
>> <busconfig>
>>
>> <listen>unix:tmpdir=/dev/shm</listen>
>>
>> </busconfig>
>>
>> and logged out and logged back in again in order to restart the session
>> bus.
>>
>> I then passed the dbus socket name into the sandbox at creation time
>> using
>>
>> env
>> DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
>>
>>
xterm
>>
>> as the command for sandbox to run.
>>
>> To run chromium I used
>>
>> chromium-browser --no-sandbox --password-store=kwallet
>>
>> A couple of iterations of audit2allow and semodule -i later, I had this
>> policy module installed:
>>
>> allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket
>> connectto; allow sandbox_web_client_t config_usr_t:dir read; allow
>> sandbox_web_client_t unconfined_t:unix_stream_socket connectto;
>>
>> but chromium is still outputting to the terminal this when it tries to
>> communicate with KWallet:
>>
>> ** (exe:9107): WARNING **:
>> GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy
>> prevents this sender from sending this message to this recipient, 0
>> matched rules; type="method_call", sender="(null)" (inactive)
>> interface="org.freedesktop.DBus" member="Hello" error name="(unset)"
>> requested_reply="0" destination="org.freedesktop.DBus" (bus)
>>
>> I can't find relevant entries in /var/log/audit.log at first glance, so
>> maybe these are checks done by the dbus daemon itself, rather than the
>> kernel.
>
> Also check /var/log/messages, dbus related avc denials go all over the
> place.
>
> If you allow this then you probably allow your sandbox to dbus chat to any
> user application running in the user domain
>
> If you confine kwallet then you should be able to restrict your sandbox to
> only chat to kwallet via dbus.
>
>
>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Yes I would figure this is dbus blocking the communication. Dbus session bus
would not be allowed to write to /var/log/audit/audit.log, so I believe
messages would end up in /var/log/messages.
This is an interesting use case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlApNP0ACgkQrlYvE4MpobMTCwCgmnONDGhKqU6/rCXj5NofrcXN
izUAnRTZZOum2m0a5V/2b5jtR//AUJKO
=L/ET
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic