On 24 June 2011 13:56, Daniel J Walsh
<dwalsh@redhat.com> wrote:
....
Well I know Chrome does not run under the sandbox. On firefox5 try to
turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
> sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent
# semodule -B
----
time->Fri Jun 24 19:03:01 2011
type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr" exe="/usr/bin/Xephyr" subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="sandboxX.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file