使用以下脚本在 SELinux 沙箱中运行 Firefox:
Random variables for directories, Allowing multiple instances
SEhome=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)
SEtemp=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)
mkdir /tmp/sehome.$SEhome
mkdir /tmp/setemp.$SEtemp
# run sandbox instance
sandbox -X -H /tmp/sehome.$SEhome -T /tmp/setemp.$SEtemp -t sandbox_web_t -t sandbox_net_t -w 3440x1440 firefox --no-remote
# destroy temporary directories
rm -rf /tmp/sehome.$SEhome
rm -rf /tmp/setemp.$SEtemp
从 Fedora 38 开始,音频不再起作用。
Audit2allow -s 很安静,我在日志中找不到太多内容:
/var/log/messages
May 25 18:31:14 localhost dbus-broker[1899]: A security policy denied :1.1206 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1.
May 25 18:31:14 localhost rsyslogd[1821]: imjournal: 27485 messages lost due to rate-limiting (20000 allowed within 600 seconds)
/var/log/audit/audit.log
type=CRED_ACQ msg=audit(1685032214.075:23247): pid=25443 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'UID="delta" AUID="delta"
type=USER_START msg=audit(1685032214.107:23248): pid=25443 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_xauth acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/2 res=success'UID="delta" AUID="delta"
type=SERVICE_START msg=audit(1685032231.705:23249): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pcscd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1685032239.160:23250): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=BPF msg=audit(1685032239.168:23251): prog-id=7441 op=UNLOAD
关于从哪里开始有什么想法吗?我认为自己在 Linux 方面处于半熟练状态,但我不是 SElinux 爱好者。