No window opening when running sandbox -S

No window opening when running sandbox -S

[Cristian Ariza]

$ sandbox -H sandbox/home -T sandbox/tmp -S

shows a few Gtk warnings (which I am assuming means Gnome loaded 
somewhere) but no window opens. In the man page I can't find much 
information about how sandbox -S actually works so not sure if I am 
missing something or it's just a bug.

I am using Fedora 32 with Gnome.

Re: No window opening when running sandbox -S

[Stephen Smalley]

On Tue, Jun 9, 2020 at 4:05 AM Cristian Ariza <cariza@collaborative.li> wrote:
>
> $ sandbox -H sandbox/home -T sandbox/tmp -S
>
> shows a few Gtk warnings (which I am assuming means Gnome loaded
> somewhere) but no window opens. In the man page I can't find much
> information about how sandbox -S actually works so not sure if I am
> missing something or it's just a bug.
>
> I am using Fedora 32 with Gnome.

You are using sandbox as packaged by Fedora in
policycoreutils-sandbox?  If so, please file a bug against their
package.
To be honest, I don't use sandbox myself and I am not sure it is being
very well maintained these days.  It was originally created by Red
Hat.
It seems like it has been OBE by other efforts to sandbox apps on
Linux e.g. flatpak or snaps although I don't know that any of those
are leveraging SELinux.  I'd be tempted to remove it upstream unless
it is getting proper care and feeding.

Re: No window opening when running sandbox -S

[Cristian Ariza]

On 09/06/2020 14:02, Stephen Smalley wrote:
> You are using sandbox as packaged by Fedora in
> policycoreutils-sandbox?  If so, please file a bug against their
> package.

Just tested the version on the selinux repo and works. Will report to 
Fedora. Thanks.

> To be honest, I don't use sandbox myself and I am not sure it is being
> very well maintained these days.  It was originally created by Red
> Hat.
> It seems like it has been OBE by other efforts to sandbox apps on
> Linux e.g. flatpak or snaps although I don't know that any of those
> are leveraging SELinux.  I'd be tempted to remove it upstream unless
> it is getting proper care and feeding.

I have been fiddling with a few alternatives for sandboxing apps but I 
haven't really found anything that comes close. Probably the best I've 
seen is firejail and its defaults are not too good (too permissive IMO). 
It's a shame if it's not being maintained.

Re: No window opening when running sandbox -S

[Topi Miettinen]

On 9.6.2020 17.05, Cristian Ariza wrote:
> I have been fiddling with a few alternatives for sandboxing apps but I 
> haven't really found anything that comes close. Probably the best I've 
> seen is firejail and its defaults are not too good (too permissive IMO). 

Please report Firejail issues on Github so they may get attention. 
Current (unreleased) Firejail also supports SELinux labeling, so 
existing SELinux rules apply even if the file system is heavily manipulated.

-Topi

Re: No window opening when running sandbox -S

[Cristian Ariza]

On 09/06/2020 16:04, Topi Miettinen wrote:
> Please report Firejail issues on Github so they may get attention. 
> Current (unreleased) Firejail also supports SELinux labeling, so 
> existing SELinux rules apply even if the file system is heavily 
> manipulated.

Is the opinion around the SELinux community that Firejail is good enough 
(in the field of single-command GUI isolation)? A bit hesitant about its 
security because of [1]. I know there is a few alternatives [2][3][4] 
but I don't think I have the knowledge to actually judge which one 
provides better isolation.

[1] https://www.whonix.org/wiki/Dev/Firejail#Security
[1] https://github.com/google/nsjail
[2] https://github.com/containers/bubblewrap
[3] https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html

RE: No window opening when running sandbox -S

[Petr Lautrbach]

[-- Attachment #1: Type: text/plain, Size: 1941 bytes --]

On Tue, Jun 09, 2020 at 09:02:08AM -0400, Stephen Smalley wrote:
> On Tue, Jun 9, 2020 at 4:05 AM Cristian Ariza <cariza@collaborative.li> wrote:
> >
> > $ sandbox -H sandbox/home -T sandbox/tmp -S
> >
> > shows a few Gtk warnings (which I am assuming means Gnome loaded
> > somewhere) but no window opens. In the man page I can't find much
> > information about how sandbox -S actually works so not sure if I am
> > missing something or it's just a bug.
> >
> > I am using Fedora 32 with Gnome.


Do you use X session or Wayland?

Anyway, -S uses gdm, gdm depends on systemd and dbus, and this is blocked by
policy. But gdm session in sandbox doesn't work for me in permissive mode neither so it
seems to be completely broken.

On the other hand you should be able to run a specific application like firefox:

$ sandbox -t sandbox_web_t -H sandbox/home -T sandbox/tmp -w 1920x1048 -X firefox


> You are using sandbox as packaged by Fedora in
> policycoreutils-sandbox?  If so, please file a bug against their
> package.
> To be honest, I don't use sandbox myself and I am not sure it is being
> very well maintained these days.  It was originally created by Red
> Hat.
> It seems like it has been OBE by other efforts to sandbox apps on
> Linux e.g. flatpak or snaps although I don't know that any of those
> are leveraging SELinux.  I'd be tempted to remove it upstream unless
> it is getting proper care and feeding.
> 

I'd actually agree to move sandbox and seunshare out of SELinuxProject/selinux repo. If it's
maitained as an independet project it could also ship and install it's own
policy, has it's release cycle or just die.

Btw few years ago I wrote support for bubblewrap in sandbox so it's uses it
instead of seunshare [1] but I haven't finished it and sent for review.


https://github.com/bachradsusi/SELinuxProject-selinux/commit/5158ea1f552fc098647d4c503f646bdcb6d0737f

Petr

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: No window opening when running sandbox -S

[Cristian Ariza]

On 09/06/2020 18:07, Petr Lautrbach wrote:
> Do you use X session or Wayland?

I've been doing tests now on [Xorg + XFCE] and [Wayland + Gnome]. What I 
could see is:

* Gnome: -S doesn't work, -X firefox seems fine
* XFCE: -S works perfectly, -X firefox doesn't always work and I haven't 
really found what changes between when it works and when it doesn't.


> Btw few years ago I wrote support for bubblewrap in sandbox so it's uses it
> instead of seunshare [1] but I haven't finished it and sent for review.
> 
> https://github.com/bachradsusi/SELinuxProject-selinux/commit/5158ea1f552fc098647d4c503f646bdcb6d0737f

What benefits would bublewrap provide?

Re: No window opening when running sandbox -S

[Petr Lautrbach]

[-- Attachment #1: Type: text/plain, Size: 938 bytes --]

On Tue, Jun 09, 2020 at 06:17:40PM +0100, Cristian Ariza wrote:
> On 09/06/2020 18:07, Petr Lautrbach wrote:
> > Do you use X session or Wayland?
> 
> I've been doing tests now on [Xorg + XFCE] and [Wayland + Gnome]. What I
> could see is:
> 
> * Gnome: -S doesn't work, -X firefox seems fine
> * XFCE: -S works perfectly, -X firefox doesn't always work and I haven't
> really found what changes between when it works and when it doesn't.
> 
> 
> > Btw few years ago I wrote support for bubblewrap in sandbox so it's uses it
> > instead of seunshare [1] but I haven't finished it and sent for review.
> > 
> > https://github.com/bachradsusi/SELinuxProject-selinux/commit/5158ea1f552fc098647d4c503f646bdcb6d0737f
> 
> What benefits would bublewrap provide?
> 

I don't know. It should provide everything `sandbox` needs, and it's used in other projects while `seunshare` seems to be
written just for `sandbox`.




[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]