Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 691428 - New Package: selinux-sandbox
Summary: New Package: selinux-sandbox
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-04 16:57 UTC by mrl5
Modified: 2019-10-15 19:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mrl5 2019-08-04 16:57:09 UTC
looks like selinux-sandbox moved from policycoreutils: https://github.com/SELinuxProject/selinux/commit/97bf196c8933f736c36fc0735781684a75a9c7d0

I am not able to run selinux-sandbox on gentoo. Pls provide an ebuild/useflag for selinux-sandbox.
Comment 1 Jason Zaman gentoo-dev 2019-10-07 04:20:54 UTC
Hey,

sesandbox used to exist but was removed a few years ago when there was some security bug iirc. I don't think anyone really uses it, what are you looking to use it for? I kind of see sesandbox as a stopgap to writing a proper policy for whatever the program is and its more for people using targeted, but we'd recommend going with strict or mcs.

If there is a package that's lacking a policy i'd much rather go the route of writing a proper policy for it that way everyone benefits. What package/program are you planning to use it with?
Comment 2 mrl5 2019-10-08 20:23:56 UTC
(In reply to Jason Zaman from comment #1)
> Hey,
> 
> sesandbox used to exist but was removed a few years ago when there was some
> security bug iirc. I don't think anyone really uses it, what are you looking
> to use it for? I kind of see sesandbox as a stopgap to writing a proper
> policy for whatever the program is and its more for people using targeted,
> but we'd recommend going with strict or mcs.
> 
> If there is a package that's lacking a policy i'd much rather go the route
> of writing a proper policy for it that way everyone benefits. What
> package/program are you planning to use it with?

thanks for the reply. I'm a desktop user and I use targeted policy type. I'd like to use sesandbox to run some programs (e.g. pdf viewer, media player, web browser) instead of using firejail. sesandbox is available by default in Fedora.

Regarding the CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-16029/Selinux-Project.html - I think that you had in mind CVE-2016-7545 and it's already fixed.
Comment 3 mrl5 2019-10-13 21:18:54 UTC
(In reply to Jason Zaman from comment #1)
> Hey,
> 
> sesandbox used to exist but was removed a few years ago when there was some
> security bug iirc. I don't think anyone really uses it, what are you looking
> to use it for? I kind of see sesandbox as a stopgap to writing a proper
> policy for whatever the program is and its more for people using targeted,
> but we'd recommend going with strict or mcs.
> 
> If there is a package that's lacking a policy i'd much rather go the route
> of writing a proper policy for it that way everyone benefits. What
> package/program are you planning to use it with?

another scenario:
let's imagine that I want to visit some malicious website (or in day to day browsing I accidentally visited one). It would be better not to run the browser with e.g. staff_u:staff_r:chromium_t context together with e.g. `chromium_read_generic_user_content` boolean.
Comment 4 mrl5 2019-10-15 19:33:34 UTC
(In reply to Jason Zaman from comment #1)
> Hey,
> 
> sesandbox used to exist but was removed a few years ago when there was some
> security bug iirc. I don't think anyone really uses it, what are you looking
> to use it for? I kind of see sesandbox as a stopgap to writing a proper
> policy for whatever the program is and its more for people using targeted,
> but we'd recommend going with strict or mcs.
> 
> If there is a package that's lacking a policy i'd much rather go the route
> of writing a proper policy for it that way everyone benefits. What
> package/program are you planning to use it with?

found this two blogposts which describe why sesandbox support was dropped:
http://blog.siphos.be/2014/05/dropping-sesandbox-support/
http://blog.siphos.be/2016/09/we-do-not-ship-selinux-sandbox/

I'll try to install it on my own. On success do the pull request and then you can decide if you want it back in gentoo or not

my plan is to:
1. introduce new "sesanbox" use flag https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L18
2. parametrize this variables:
  - https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L114
  - https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L133
3. and then introduce new ebuild for https://github.com/SELinuxProject/selinux/tree/master/sandbox which will be pulled by `policycoreutils` if `sesandbox` useflag is present

let me know Jason what you think about this idea