Are you doing this via an init script and creating content in /etc? or /?
Try to create the content in /tmp
Or precreate the content with a label other then etc_runtime_t.
On 05/28/2015 03:13 PM, Bhuvan Gupta wrote:
Yep did that no change in behaviour.
On Fri, May 29, 2015 at 12:18 AM, Daniel J Walsh <dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
Try
semodule -e sandbox
We disable sandbox policy by default.
On 05/28/2015 01:48 PM, Bhuvan Gupta wrote:
> Running following command gives the below AVC
> >>>sandbox ./a.out 2>err
>
> SELinux is preventing /a.out from write access on the file .
>
> ***** Plugin leaks (86.2 confidence) suggests
> *****************************
>
> If you want to ignore a.out trying to write access the file,
> because you believe it should not need this access.
> Then you should report this as a bug.
> You can generate a local policy module to dontaudit this access.
> Do
> # grep /a.out /var/log/audit/audit.log | audit2allow -D -M mypol
> # semodule -i mypol.pp
>
> ***** Plugin catchall (14.7 confidence) suggests
> **************************
>
> If you believe that a.out should be allowed write access on the
> file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep a.out /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context
> unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
> Target Context unconfined_u:object_r:etc_runtime_t:s0
> Target Objects [ file ]
> Source a.out
> Source Path /a.out
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-23.el7.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 3.10.0-121.el7.x86_64
> #1 SMP Tue Apr 8 10:48:19 EDT 2014
> x86_64 x86_64
> Alert Count 1
> First Seen 2015-05-28 23:11:59 IST
> Last Seen 2015-05-28 23:11:59 IST
> Local ID cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4
>
> Raw Audit Messages
> type=AVC msg=audit(1432834919.99:391): avc: denied { write }
> for pid=2626 comm="a.out" path="/err" dev="dm-0"
ino=736779
> scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
> tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64
> syscall=execve success=yes exit=0 a0=330a3f0 a1=330eaa0
> a2=7fff6a67fe50 a3=7fff6a67e840 items=0 ppid=2625 pid=2626 auid=0
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
> ses=1 comm=a.out exe=/a.out
> subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597 key=(null)
>
> Hash: a.out,sandbox_t,etc_runtime_t,file,write
>
>
> Thanks
> Bhuvan
>
>
> On Thu, May 28, 2015 at 3:53 PM, Daniel J Walsh
> <dwalsh(a)redhat.com <mailto:dwalsh@redhat.com>> wrote:
>
> What AVC's are you seeing?
>
> audit2allow -la
>
>
> On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:
>> MORE INFO
>>
>> content of Test.cpp
>> /#include<stdio>/
>> / int main(void) {/
>> / fprintf(stderr,"error/n");/
>> / return 0;/
>> / }/
>>
>> compile it and now
>> /./a.out /
>> print error to console
>>
>> /./a.out 2> err/
>> print to err file
>>
>> /sandbox ./a.out 2>err/
>> nothing gets printed on console or in err file.
>> Is sandbox is eating it up ?
>>
>> Thanks
>> Bhuvan
>>
>>
>>
>>
>> On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta
>> <bhuvangu(a)gmail.com <mailto:bhuvangu@gmail.com>> wrote:
>>
>> EXTRA INFO:
>>
>> even if i run
>> /sandbox ./a.out/
>> /
>> /
>> Even then it doesnt print floating point error on console
>>
>> On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta
>> <bhuvangu(a)gmail.com <mailto:bhuvangu@gmail.com>> wrote:
>>
>> Hello All,
>>
>> I have an Test.cpp which is run under sandbox(RHEL7):
>>
>> Test.cpp content:
>> #include<stdio>
>> int main(void) {
>> int a = 1/0;
>> return 0;
>> }
>>
>> compile it using gcc(4.8) Test.cpp which produces
>> the a.out
>> Now running a.out prints floating pointing exception
>> on console
>>
>> Now i thought that if i redirect stderr to a file, i
>> expect the error to be printed in file.
>> But that is not the case it still continue to print
>> in console.
>> Googling reveal that under such exception the
>> program is terminated immediately and if you capture
>> the stderr of bash then it should redirect.
>> So i run
>> /su -c ./a.out 2>err /
>> Bingo error get printed in err file.
>>
>> Now the MAIN GAME STARTS
>> i want to run it under sandbox
>> so i run:
>> /su -c 'sandbox ./a.out 1>out 2>err'/
>> But there is nothing printed in err file or in console.
>>
>> How to capture stdout and stderr under such situation ?
>>
>>
>> Thanks
>> Bhuvan
>>
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
<mailto:selinux@lists.fedoraproject.org>
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux