* No window opening when running sandbox -S @ 2020-06-09 7:53 Cristian Ariza 2020-06-09 13:02 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Cristian Ariza @ 2020-06-09 7:53 UTC (permalink / raw) To: selinux $ sandbox -H sandbox/home -T sandbox/tmp -S shows a few Gtk warnings (which I am assuming means Gnome loaded somewhere) but no window opens. In the man page I can't find much information about how sandbox -S actually works so not sure if I am missing something or it's just a bug. I am using Fedora 32 with Gnome. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: No window opening when running sandbox -S 2020-06-09 7:53 No window opening when running sandbox -S Cristian Ariza @ 2020-06-09 13:02 ` Stephen Smalley 2020-06-09 14:05 ` Cristian Ariza 2020-06-09 17:07 ` Petr Lautrbach 0 siblings, 2 replies; 8+ messages in thread From: Stephen Smalley @ 2020-06-09 13:02 UTC (permalink / raw) To: Cristian Ariza, Petr Lautrbach, Ondrej Mosnacek; +Cc: SElinux list On Tue, Jun 9, 2020 at 4:05 AM Cristian Ariza <cariza@collaborative.li> wrote: > > $ sandbox -H sandbox/home -T sandbox/tmp -S > > shows a few Gtk warnings (which I am assuming means Gnome loaded > somewhere) but no window opens. In the man page I can't find much > information about how sandbox -S actually works so not sure if I am > missing something or it's just a bug. > > I am using Fedora 32 with Gnome. You are using sandbox as packaged by Fedora in policycoreutils-sandbox? If so, please file a bug against their package. To be honest, I don't use sandbox myself and I am not sure it is being very well maintained these days. It was originally created by Red Hat. It seems like it has been OBE by other efforts to sandbox apps on Linux e.g. flatpak or snaps although I don't know that any of those are leveraging SELinux. I'd be tempted to remove it upstream unless it is getting proper care and feeding. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: No window opening when running sandbox -S 2020-06-09 13:02 ` Stephen Smalley @ 2020-06-09 14:05 ` Cristian Ariza 2020-06-09 15:04 ` Topi Miettinen 2020-06-09 17:07 ` Petr Lautrbach 1 sibling, 1 reply; 8+ messages in thread From: Cristian Ariza @ 2020-06-09 14:05 UTC (permalink / raw) To: Stephen Smalley, Petr Lautrbach, Ondrej Mosnacek; +Cc: SElinux list On 09/06/2020 14:02, Stephen Smalley wrote: > You are using sandbox as packaged by Fedora in > policycoreutils-sandbox? If so, please file a bug against their > package. Just tested the version on the selinux repo and works. Will report to Fedora. Thanks. > To be honest, I don't use sandbox myself and I am not sure it is being > very well maintained these days. It was originally created by Red > Hat. > It seems like it has been OBE by other efforts to sandbox apps on > Linux e.g. flatpak or snaps although I don't know that any of those > are leveraging SELinux. I'd be tempted to remove it upstream unless > it is getting proper care and feeding. I have been fiddling with a few alternatives for sandboxing apps but I haven't really found anything that comes close. Probably the best I've seen is firejail and its defaults are not too good (too permissive IMO). It's a shame if it's not being maintained. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: No window opening when running sandbox -S 2020-06-09 14:05 ` Cristian Ariza @ 2020-06-09 15:04 ` Topi Miettinen 2020-06-09 16:05 ` Cristian Ariza 0 siblings, 1 reply; 8+ messages in thread From: Topi Miettinen @ 2020-06-09 15:04 UTC (permalink / raw) To: Cristian Ariza, Stephen Smalley, Petr Lautrbach, Ondrej Mosnacek Cc: SElinux list On 9.6.2020 17.05, Cristian Ariza wrote: > I have been fiddling with a few alternatives for sandboxing apps but I > haven't really found anything that comes close. Probably the best I've > seen is firejail and its defaults are not too good (too permissive IMO). Please report Firejail issues on Github so they may get attention. Current (unreleased) Firejail also supports SELinux labeling, so existing SELinux rules apply even if the file system is heavily manipulated. -Topi ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: No window opening when running sandbox -S 2020-06-09 15:04 ` Topi Miettinen @ 2020-06-09 16:05 ` Cristian Ariza 0 siblings, 0 replies; 8+ messages in thread From: Cristian Ariza @ 2020-06-09 16:05 UTC (permalink / raw) To: Topi Miettinen, Stephen Smalley, Petr Lautrbach, Ondrej Mosnacek Cc: SElinux list On 09/06/2020 16:04, Topi Miettinen wrote: > Please report Firejail issues on Github so they may get attention. > Current (unreleased) Firejail also supports SELinux labeling, so > existing SELinux rules apply even if the file system is heavily > manipulated. Is the opinion around the SELinux community that Firejail is good enough (in the field of single-command GUI isolation)? A bit hesitant about its security because of [1]. I know there is a few alternatives [2][3][4] but I don't think I have the knowledge to actually judge which one provides better isolation. [1] https://www.whonix.org/wiki/Dev/Firejail#Security [1] https://github.com/google/nsjail [2] https://github.com/containers/bubblewrap [3] https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: No window opening when running sandbox -S 2020-06-09 13:02 ` Stephen Smalley 2020-06-09 14:05 ` Cristian Ariza @ 2020-06-09 17:07 ` Petr Lautrbach 2020-06-09 17:17 ` Cristian Ariza 1 sibling, 1 reply; 8+ messages in thread From: Petr Lautrbach @ 2020-06-09 17:07 UTC (permalink / raw) To: SElinux list; +Cc: Stephen Smalley, Cristian Ariza, Ondrej Mosnacek [-- Attachment #1: Type: text/plain, Size: 1941 bytes --] On Tue, Jun 09, 2020 at 09:02:08AM -0400, Stephen Smalley wrote: > On Tue, Jun 9, 2020 at 4:05 AM Cristian Ariza <cariza@collaborative.li> wrote: > > > > $ sandbox -H sandbox/home -T sandbox/tmp -S > > > > shows a few Gtk warnings (which I am assuming means Gnome loaded > > somewhere) but no window opens. In the man page I can't find much > > information about how sandbox -S actually works so not sure if I am > > missing something or it's just a bug. > > > > I am using Fedora 32 with Gnome. Do you use X session or Wayland? Anyway, -S uses gdm, gdm depends on systemd and dbus, and this is blocked by policy. But gdm session in sandbox doesn't work for me in permissive mode neither so it seems to be completely broken. On the other hand you should be able to run a specific application like firefox: $ sandbox -t sandbox_web_t -H sandbox/home -T sandbox/tmp -w 1920x1048 -X firefox > You are using sandbox as packaged by Fedora in > policycoreutils-sandbox? If so, please file a bug against their > package. > To be honest, I don't use sandbox myself and I am not sure it is being > very well maintained these days. It was originally created by Red > Hat. > It seems like it has been OBE by other efforts to sandbox apps on > Linux e.g. flatpak or snaps although I don't know that any of those > are leveraging SELinux. I'd be tempted to remove it upstream unless > it is getting proper care and feeding. > I'd actually agree to move sandbox and seunshare out of SELinuxProject/selinux repo. If it's maitained as an independet project it could also ship and install it's own policy, has it's release cycle or just die. Btw few years ago I wrote support for bubblewrap in sandbox so it's uses it instead of seunshare [1] but I haven't finished it and sent for review. https://github.com/bachradsusi/SELinuxProject-selinux/commit/5158ea1f552fc098647d4c503f646bdcb6d0737f Petr [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: No window opening when running sandbox -S 2020-06-09 17:07 ` Petr Lautrbach @ 2020-06-09 17:17 ` Cristian Ariza 2020-06-09 18:03 ` Petr Lautrbach 0 siblings, 1 reply; 8+ messages in thread From: Cristian Ariza @ 2020-06-09 17:17 UTC (permalink / raw) To: Petr Lautrbach, SElinux list; +Cc: Stephen Smalley, Ondrej Mosnacek On 09/06/2020 18:07, Petr Lautrbach wrote: > Do you use X session or Wayland? I've been doing tests now on [Xorg + XFCE] and [Wayland + Gnome]. What I could see is: * Gnome: -S doesn't work, -X firefox seems fine * XFCE: -S works perfectly, -X firefox doesn't always work and I haven't really found what changes between when it works and when it doesn't. > Btw few years ago I wrote support for bubblewrap in sandbox so it's uses it > instead of seunshare [1] but I haven't finished it and sent for review. > > https://github.com/bachradsusi/SELinuxProject-selinux/commit/5158ea1f552fc098647d4c503f646bdcb6d0737f What benefits would bublewrap provide? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: No window opening when running sandbox -S 2020-06-09 17:17 ` Cristian Ariza @ 2020-06-09 18:03 ` Petr Lautrbach 0 siblings, 0 replies; 8+ messages in thread From: Petr Lautrbach @ 2020-06-09 18:03 UTC (permalink / raw) To: SElinux list; +Cc: Cristian Ariza, Stephen Smalley, Ondrej Mosnacek [-- Attachment #1: Type: text/plain, Size: 938 bytes --] On Tue, Jun 09, 2020 at 06:17:40PM +0100, Cristian Ariza wrote: > On 09/06/2020 18:07, Petr Lautrbach wrote: > > Do you use X session or Wayland? > > I've been doing tests now on [Xorg + XFCE] and [Wayland + Gnome]. What I > could see is: > > * Gnome: -S doesn't work, -X firefox seems fine > * XFCE: -S works perfectly, -X firefox doesn't always work and I haven't > really found what changes between when it works and when it doesn't. > > > > Btw few years ago I wrote support for bubblewrap in sandbox so it's uses it > > instead of seunshare [1] but I haven't finished it and sent for review. > > > > https://github.com/bachradsusi/SELinuxProject-selinux/commit/5158ea1f552fc098647d4c503f646bdcb6d0737f > > What benefits would bublewrap provide? > I don't know. It should provide everything `sandbox` needs, and it's used in other projects while `seunshare` seems to be written just for `sandbox`. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-06-09 18:03 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-09 7:53 No window opening when running sandbox -S Cristian Ariza 2020-06-09 13:02 ` Stephen Smalley 2020-06-09 14:05 ` Cristian Ariza 2020-06-09 15:04 ` Topi Miettinen 2020-06-09 16:05 ` Cristian Ariza 2020-06-09 17:07 ` Petr Lautrbach 2020-06-09 17:17 ` Cristian Ariza 2020-06-09 18:03 ` Petr Lautrbach
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.