fedora-selinux March 2011 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: sandbox: changed handling of /tmp (2.0.83-33

Re: sandbox: changed handling of /tmp (2.0.83-33.7.fc13.x86_64)

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Tue Mar 29 2011 - 18:35:32 GMT
To: "Christoph A." <casmls@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/26/2011 03:32 PM, Christoph A. wrote:
> Hi,
>
> this post might be of interest for you if since today's update in F13
> specific sandboxes are no longer working.
>
> I used to open files from the internet via sandboxes.
> For example firefox uses the following bash script to open pdf files:
>
> #!/bin/bash
> sandbox -X -w 1432x821 evince "$*"
>
> This is from originally from Dan's blog:
> http://danwalsh.livejournal.com/31247.html?thread=214031
>
> Since today, this no longer works due to changes in the handling of /tmp
> (firefox stores the downloaded file in /tmp).
>
> Today the policycoreutils packages was updated (2.0.83-33.7.fc13.x86_64).
>
> The changes mention the handling of /tmp:
>
> "fix to sandbox - Fix seunshare to use more secure handling of /tmp -
> Rewrite seunshare to make sure /tmp is mounted stickybit owned by root"
>
> https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.7.fc13?_csrf_token=84bda4a48f7b567fc380f85773927246eb5a0b17
>
> which is probably related to Tavis Ormandy's post on FD
> http://seclists.org/fulldisclosure/2011/Feb/585
>
> I worked around the issue and modified the bash script:
>
> #!/bin/bash
> cp "$*" ~/.tmp
> sandbox -X -w 1432x821 evince "/home/user/.tmp/`basename $*`"
> rm /home/user/.tmp/*
>
> This quick hack works for me, but maybe there is a nicer way ;)
>
> kind regards,
> Christoph
>
>
>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Could you test

http://koji.fedoraproject.org/koji/search?terms=policycoreutils-2.0.83-33.8.fc13&type=build&match=glob

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2SJnQACgkQrlYvE4MpobOQkwCfbghysnmi5D9fe/f8YOMUpQcc
MUQAoOXxfxl/yZz3LX15Rxgvxovi5MZn
=C0Us
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux