SELinux sandbox, 'Desktop Platform' + openbox

Support for security such as Firewalls and securing linux
Post Reply
tamarin_t
Posts: 7
Joined: 2016/05/25 06:06:21

SELinux sandbox, 'Desktop Platform' + openbox

Post by tamarin_t » 2016/06/16 18:44:20

Why would a SELinux sandboxed X application that runs fine under a GNOME desktop, not run with a bare bones 'Desktop platform' install (openbox as window manager)?

The following sandboxed firefox command works with a 'Minimal desktop' install - i.e., a minimal GNOME desktop:

Code: Select all

sandbox -t sandbox_web_t -X /bin/sh -c "setxkbmap -rules evdev -model pc105 -layout gb; exec /usr/bin/firefox --safe-mode --private"
However if I run the same command with a 'Desktop platform' only install (X11 only essentially + gnome-terminal + openbox), firefox does not run. No errors are reported, nor does a Xephyr window appear.

Looking through the code, the `sandbox` command (a 500 line python script), calls `seunshare` with the argument `/usr/share/sandbox/sandboxX.sh`, which in turn runs Xephyr, followed by `/usr/share/sandbox/start $HOME/.sandboxrc`, which then runs firefox. `sandboxrc` is autogenerated by the `sandbox` python script.

Execution seems to progress no further than attempting to invoke Xephyr, the code at this point in `sandboxX.sh` being:

Code: Select all

/usr/bin/Xephyr -title 'Sandbox sandbox_web_t:s0:c203,c467 --  /bin/bash ' -terminate -screen 1000x700 -dpi 96 -displayfd 5
Note there is no display arg. passed to Xephyr here, my guess is that for some reason with the GNOME desktop $DISPLAY is configured properly, but not with the bare bones 'Desktop platform' install, causing Xephyr to fail (the $DISPLAY env. var. is in fact set to :0.0 at the point when `sandboxX.sh` is called, I would guess it should be set to the next available display).

To summarise with a 'Desktop platform' only install + openbox the following `sandbox` command works:

Code: Select all

sandbox -t sandbox_web_t /bin/bash
However attempt to run an X application with the '-X' option and the code fails at the point of calling Xephyr:

Code: Select all

sandbox -t sandbox_web_t -X /usr/bin/gnome-terminal
Anyone any guesses why a sandboxed X application should run under a GNOME desktop, but not a bare bones openbox X windows desktop?
Last edited by tamarin_t on 2016/06/17 08:25:21, edited 1 time in total.
Top
tamarin_t
Posts: 7
Joined: 2016/05/25 06:06:21

Re: SELinux sandbox, 'Desktop Platform' + openbox

Post by tamarin_t » 2016/06/17 03:43:12

Adding the 'Minimal desktop' (Desktop group task) on top of the same initial 'Desktop platform' install and logging in with a user created using the `adduser` util., an error is now displayed:

Code: Select all

/usr/bin/sandbox: User account must be setup with an MCS Range
The 'Minimal desktop' install evidently takes care of this (adding users on first run).

The question now then is how to setup a 'MCS Range' when creating a user with adduser (and how to get some basic SELinux training without devoting a lifetime to it!).
Top
Post Reply

Return to “CentOS 6 - Security Support”