Try
semodule -e sandbox
We disable sandbox policy by default.
On 05/28/2015 01:48 PM, Bhuvan Gupta wrote:
Running following command gives the below AVC
>>>sandbox ./a.out 2>err
SELinux is preventing /a.out from write access on the file .
***** Plugin leaks (86.2 confidence) suggests
*****************************
If you want to ignore a.out trying to write access the file, because
you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /a.out /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (14.7 confidence) suggests
**************************
If you believe that a.out should be allowed write access on the file
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep a.out /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
Target Context unconfined_u:object_r:etc_runtime_t:s0
Target Objects [ file ]
Source a.out
Source Path /a.out
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.10.0-121.el7.x86_64
#1 SMP Tue Apr 8 10:48:19 EDT 2014
x86_64 x86_64
Alert Count 1
First Seen 2015-05-28 23:11:59 IST
Last Seen 2015-05-28 23:11:59 IST
Local ID cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4
Raw Audit Messages
type=AVC msg=audit(1432834919.99:391): avc: denied { write } for
pid=2626 comm="a.out" path="/err" dev="dm-0" ino=736779
scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64 syscall=execve
success=yes exit=0 a0=330a3f0 a1=330eaa0 a2=7fff6a67fe50
a3=7fff6a67e840 items=0 ppid=2625 pid=2626 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=a.out
exe=/a.out subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
key=(null)
Hash: a.out,sandbox_t,etc_runtime_t,file,write
Thanks
Bhuvan
On Thu, May 28, 2015 at 3:53 PM, Daniel J Walsh <dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
What AVC's are you seeing?
audit2allow -la
On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:
> MORE INFO
>
> content of Test.cpp
> /#include<stdio>/
> / int main(void) {/
> / fprintf(stderr,"error/n");/
> / return 0;/
> / }/
>
> compile it and now
> /./a.out /
> print error to console
>
> /./a.out 2> err/
> print to err file
>
> /sandbox ./a.out 2>err/
> nothing gets printed on console or in err file.
> Is sandbox is eating it up ?
>
> Thanks
> Bhuvan
>
>
>
>
> On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta <bhuvangu(a)gmail.com
> <mailto:bhuvangu@gmail.com>> wrote:
>
> EXTRA INFO:
>
> even if i run
> /sandbox ./a.out/
> /
> /
> Even then it doesnt print floating point error on console
>
> On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta
> <bhuvangu(a)gmail.com <mailto:bhuvangu@gmail.com>> wrote:
>
> Hello All,
>
> I have an Test.cpp which is run under sandbox(RHEL7):
>
> Test.cpp content:
> #include<stdio>
> int main(void) {
> int a = 1/0;
> return 0;
> }
>
> compile it using gcc(4.8) Test.cpp which produces the a.out
> Now running a.out prints floating pointing exception on
> console
>
> Now i thought that if i redirect stderr to a file, i
> expect the error to be printed in file.
> But that is not the case it still continue to print in
> console.
> Googling reveal that under such exception the program is
> terminated immediately and if you capture the stderr of
> bash then it should redirect.
> So i run
> /su -c ./a.out 2>err /
> Bingo error get printed in err file.
>
> Now the MAIN GAME STARTS
> i want to run it under sandbox
> so i run:
> /su -c 'sandbox ./a.out 1>out 2>err'/
> But there is nothing printed in err file or in console.
>
> How to capture stdout and stderr under such situation ?
>
>
> Thanks
> Bhuvan
>
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>
>
https://admin.fedoraproject.org/mailman/listinfo/selinux