Bonobo

[Ivan Gyurdiev <gyurdiev@xxxxxxxxxx>]

(sorry for 2 mails - posting on list this time) 

What can be done to restrict bonobo? 

My understanding is that bonobo allows applications to start other
apps, based on searching for a particular capability. Mozilla uses
bonobo, evolution uses bonobo, and pretty much any gnome app seems
to use bonobo. What role should SElinux play in this process to 
make the system more secure?

We've patched policy to implement per-domain labeling of orbit sockets,
which restricts which apps can talk to which others over orbit. However,
that doesn't seem sufficient. Currently bonobo runs as ROLE_t, and
clients need to connect to it to launch other applications. That means:

(1) All bonobo clients are given the right to connect to
ROLE_orbit_tmp_t sockets, which is the same as the orbit
socket type for any ROLE_t applications.

I want to put bonobo in its own domain, but then it needs
to be able to launch ROLE_t apps, and that becomes a problem.

(2) Bonobo can launch applications that ROLE_t can launch.
The bonobo client could trick the bonobo server to launch the
wrong applications. 

I'm interested in how userspace object managers work, and whether
such a thing would be appropriate in this situation. It seems
like it would be useful to enforce what can launch what else
over bonobo, independent of the "search-by-capability" thing.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.