<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Try <br>
<br>
semodule -e sandbox<br>
<br>
We disable sandbox policy by default.<br>
<br>
<br>
<div class="moz-cite-prefix">On 05/28/2015 01:48 PM, Bhuvan Gupta
wrote:<br>
</div>
<blockquote
cite="mid:CAF4ab9XJ2A1fFy7_AKehwWVkarerz0v-CDJ+2aufAnPQ41tyaA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Running following command gives the below AVC</div>
<div>>>>sandbox ./a.out 2>err </div>
<div><br>
</div>
<div>SELinux is preventing /a.out from write access on the file
.</div>
<div><br>
</div>
<div>***** Plugin leaks (86.2 confidence) suggests
*****************************</div>
<div><br>
</div>
<div>If you want to ignore a.out trying to write access the
file, because you believe it should not need this access.</div>
<div>Then you should report this as a bug. </div>
<div>You can generate a local policy module to dontaudit this
access.</div>
<div>Do</div>
<div># grep /a.out /var/log/audit/audit.log | audit2allow -D -M
mypol</div>
<div># semodule -i mypol.pp</div>
<div><br>
</div>
<div>***** Plugin catchall (14.7 confidence) suggests
**************************</div>
<div><br>
</div>
<div>If you believe that a.out should be allowed write access on
the file by default.</div>
<div>Then you should report this as a bug.</div>
<div>You can generate a local policy module to allow this
access.</div>
<div>Do</div>
<div>allow this access for now by executing:</div>
<div># grep a.out /var/log/audit/audit.log | audit2allow -M
mypol</div>
<div># semodule -i mypol.pp</div>
<div><br>
</div>
<div>Additional Information:</div>
<div>Source Context
unconfined_u:unconfined_r:sandbox_t:s0:c296,c597</div>
<div>Target Context
unconfined_u:object_r:etc_runtime_t:s0</div>
<div>Target Objects [ file ]</div>
<div>Source a.out</div>
<div>Source Path /a.out</div>
<div>Port <Unknown></div>
<div>Host localhost.localdomain</div>
<div>Source RPM Packages </div>
<div>Target RPM Packages </div>
<div>Policy RPM
selinux-policy-3.13.1-23.el7.noarch</div>
<div>Selinux Enabled True</div>
<div>Policy Type targeted</div>
<div>Enforcing Mode Enforcing</div>
<div>Host Name localhost.localdomain</div>
<div>Platform Linux localhost.localdomain
3.10.0-121.el7.x86_64</div>
<div> #1 SMP Tue Apr 8 10:48:19 EDT
2014 x86_64 x86_64</div>
<div>Alert Count 1</div>
<div>First Seen 2015-05-28 23:11:59 IST</div>
<div>Last Seen 2015-05-28 23:11:59 IST</div>
<div>Local ID
cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4</div>
<div><br>
</div>
<div>Raw Audit Messages</div>
<div>type=AVC msg=audit(1432834919.99:391): avc: denied {
write } for pid=2626 comm="a.out" path="/err" dev="dm-0"
ino=736779
scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file</div>
<div><br>
</div>
<div><br>
</div>
<div>type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64
syscall=execve success=yes exit=0 a0=330a3f0 a1=330eaa0
a2=7fff6a67fe50 a3=7fff6a67e840 items=0 ppid=2625 pid=2626
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=1 comm=a.out exe=/a.out
subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
key=(null)</div>
<div><br>
</div>
<div>Hash: a.out,sandbox_t,etc_runtime_t,file,write</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Bhuvan</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, May 28, 2015 at 3:53 PM, Daniel
J Walsh <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> What AVC's are you
seeing?<br>
<br>
audit2allow -la
<div>
<div class="h5"><br>
<br>
<div>On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">MORE INFO
<div><br>
</div>
<div>content of Test.cpp</div>
<div>
<div style="font-size:12.8000001907349px"><i>#include<stdio></i></div>
<div style="font-size:12.8000001907349px"><i> int
main(void) {</i></div>
<div style="font-size:12.8000001907349px"><i>
fprintf(stderr,"error/n");</i></div>
<div style="font-size:12.8000001907349px"><i>
return 0;</i></div>
<div style="font-size:12.8000001907349px"><i> }</i></div>
</div>
<div><br>
</div>
<div>compile it and now</div>
<div><i>./a.out </i></div>
<div>print error to console</div>
<div><br>
</div>
<div><i>./a.out 2> err</i></div>
<div>print to err file</div>
<div><br>
</div>
<div><i>sandbox ./a.out 2>err</i></div>
<div>nothing gets printed on console or in err
file.</div>
<div>Is sandbox is eating it up ?</div>
<div><br>
</div>
<div>Thanks</div>
<div>Bhuvan</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, May 23, 2015 at
4:02 PM, Bhuvan Gupta <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bhuvangu@gmail.com"
target="_blank">bhuvangu@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">EXTRA INFO:
<div><br>
</div>
<div>even if i run </div>
<div><i>sandbox ./a.out</i></div>
<div><i><br>
</i></div>
<div>Even then it doesnt print floating
point error on console</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, May 23,
2015 at 3:40 PM, Bhuvan Gupta <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bhuvangu@gmail.com"
target="_blank">bhuvangu@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>Hello All,</div>
<div><br>
</div>
<div>I have an Test.cpp which is
run under sandbox(RHEL7):<br>
</div>
<div><br>
</div>
<div>Test.cpp content:</div>
<div>#include<stdio></div>
<div> int main(void) {</div>
<div> int a = 1/0;</div>
<div> return 0;</div>
<div> }</div>
<div><br>
</div>
<div>compile it using gcc(4.8)
Test.cpp which produces the
a.out</div>
<div>Now running a.out prints
floating pointing exception on
console</div>
<div><br>
</div>
<div>Now i thought that if i
redirect stderr to a file, i
expect the error to be printed
in file.</div>
<div>But that is not the case it
still continue to print in
console.</div>
<div>Googling reveal that under
such exception the program is
terminated immediately and if
you capture the stderr of bash
then it should redirect.</div>
<div>So i run</div>
<div><i>su -c ./a.out 2>err </i></div>
<div>Bingo error get printed in
err file.</div>
<div><br>
</div>
<div>Now the MAIN GAME STARTS</div>
<div>i want to run it under
sandbox </div>
<div>so i run:</div>
<div><i>su -c 'sandbox ./a.out
1>out 2>err'</i></div>
<div>But there is nothing printed
in err file or in console.</div>
<div><br>
</div>
<div>How to capture stdout and
stderr under such situation ?</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<span><font color="#888888">
<div>Bhuvan</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span class="">
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</span></blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>