5:25 p.m.
On 23 June 2011 13:22, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/23/2011 06:29 AM, GSO wrote:
> This thread went offline, however to bring things back online, it
> appears at least the binary download (running on SL6) of Firefox 5 just
> released does not work in the sandbox either. The SELinux audit
> messages are:
>
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class
> dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission open in class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class chr_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class
> blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class
> sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in class
> fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission syslog in class
> capability2 not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: the above unknown classes and
> permissions will be allowed
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration
>
> The sandbox window starts up but crashes before any sign of FF
> materialises, works fine in permissive mode or unsandboxed otherwise.
> I've put the FF binaries in /opt.
>
> On 19 June 2011 17:53, Dominick Grift <domg472(a)gmail.com
> <mailto:domg472@gmail.com>> wrote:
>
>
>
> On Sun, 2011-06-19 at 13:57 +0100, GSO wrote:
> > The default build using the google repos results in chromium
> grinding to a
> > halt with a black window when run in a sandbox. Is it technically
> possible
> > to run chrome in a sandbox, would building from source fix this at
> all?
>
> I do not think it will work since both sandbox an chrome use
namespace
> and chrome cant run if sandbox already runs in a namespace (or
something
> along those lines is my understanding if this issue)
>
> > --
> > selinux mailing list
> > selinux(a)lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I looked for firefox5 x86_64 and did not quickly find it, if you know
where there is a link, I will look into what is going on, otherwise I
will wait until Fedora Packages it. It does seem strange that you are
getting those
Permission audit_access in class sock_file not defined in policy.
errors, What OS are you using? What kernel?
That was Scientific Linux 6, I was also running Tor (through openvpn), so
that might have complicated matters. I had also been messing around with
Tor to get it to send all net traffic through tor, and the install was
tainted at that point (I never was able to get that to work, similar SELInux
audit errors to the above funnily enough). I had also built and installed
the latest kernel as I have to do to get my webcams working (2 cams I have
do not work with the default RHEL6 kernel).
However I've just installed the Fedora security spin, should be an untainted
install (I am 'under attack' here!), Firefox 5 likewise crashes, though with
no SELinux audit messages in /var/log/messages as far as I can see (just a
few 'received policyload notice' lines).
Likewise chromium grinds to a halt at the usual black background, no SELinux
audit messages again, not even the 'policyload' notice ones (assuming I've
got it set up properly to report them).
7:56 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/23/2011 06:25 PM, GSO wrote:
On 23 June 2011 13:22, Daniel J Walsh <dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/23/2011 06:29 AM, GSO wrote:
> This thread went offline, however to bring things back online, it
> appears at least the binary download (running on SL6) of Firefox 5
just
> released does not work in the sandbox either. The SELinux audit
> messages are:
>
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
class
> dir not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission open in class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
class
> lnk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class chr_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
class
> blk_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
class
> sock_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> class fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
class
> fifo_file not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: Permission syslog in class
> capability2 not defined in policy.
> Jun 22 21:40:22 localhost kernel: SELinux: the above unknown
classes and
> permissions will be allowed
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: avc: received policyload notice
(seqno=5)
> Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration
>
> The sandbox window starts up but crashes before any sign of FF
> materialises, works fine in permissive mode or unsandboxed otherwise.
> I've put the FF binaries in /opt.
>
> On 19 June 2011 17:53, Dominick Grift <domg472(a)gmail.com
<mailto:domg472@gmail.com>
> <mailto:domg472@gmail.com <mailto:domg472@gmail.com>>> wrote:
>
>
>
> On Sun, 2011-06-19 at 13:57 +0100, GSO wrote:
> > The default build using the google repos results in chromium
> grinding to a
> > halt with a black window when run in a sandbox. Is it
technically
> possible
> > to run chrome in a sandbox, would building from source fix
this at
> all?
>
> I do not think it will work since both sandbox an chrome use
namespace
> and chrome cant run if sandbox already runs in a namespace (or
something
> along those lines is my understanding if this issue)
>
> > --
> > selinux mailing list
> > selinux(a)lists.fedoraproject.org
<mailto:selinux@lists.fedoraproject.org>
> <mailto:selinux@lists.fedoraproject.org
<mailto:selinux@lists.fedoraproject.org>>
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
<mailto:selinux@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I looked for firefox5 x86_64 and did not quickly find it, if you know
where there is a link, I will look into what is going on, otherwise I
will wait until Fedora Packages it. It does seem strange that you are
getting those
Permission audit_access in class sock_file not defined in policy.
errors, What OS are you using? What kernel?
That was Scientific Linux 6, I was also running Tor (through openvpn),
so that might have complicated matters. I had also been messing around
with Tor to get it to send all net traffic through tor, and the install
was tainted at that point (I never was able to get that to work, similar
SELInux audit errors to the above funnily enough). I had also built and
installed the latest kernel as I have to do to get my webcams working (2
cams I have do not work with the default RHEL6 kernel).
However I've just installed the Fedora security spin, should be an
untainted install (I am 'under attack' here!), Firefox 5 likewise
crashes, though with no SELinux audit messages in /var/log/messages as
far as I can see (just a few 'received policyload notice' lines).
Likewise chromium grinds to a halt at the usual black background, no
SELinux audit messages again, not even the 'policyload' notice ones
(assuming I've got it set up properly to report them).
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Well I know Chrome does not run under the sandbox. On firefox5 try to
turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m
avc -ts recent
# semodule -B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk4EiYsACgkQrlYvE4MpobPiHQCeN8yaz5s1haT1OnwietbvFVAJ
Q6IAoIRkXxwPRVbQlR7J0phZAfm3prFS
=Pmm6
-----END PGP SIGNATURE-----
1:07 p.m.
On 24 June 2011 13:56, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
....
Well I know Chrome does not run under the sandbox. On firefox5 try to
turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
> sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent
# semodule -B
----
time->Fri Jun 24 19:03:01 2011
type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11
success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0
ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure }
for pid=11827 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for
pid=11827 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh }
for pid=11827 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11
success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0
ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr"
exe="/usr/bin/Xephyr"
subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure }
for pid=11839 comm="Xephyr"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for
pid=11839 comm="Xephyr"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh }
for pid=11839 comm="Xephyr"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
tclass=process
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11
success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0
ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start"
exe="/usr/bin/python"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure }
for pid=11846 comm="start"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for
pid=11846 comm="start"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh }
for pid=11846 comm="start"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11
success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0
ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="sandboxX.sh" exe="/bin/bash"
subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write }
for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write }
for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write }
for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5
success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853
pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon"
exe="/bin/dbus-daemon"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for
pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11
success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8
items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="dbus-launch" exe="/usr/bin/dbus-launch"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for
pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
3:16 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/24/2011 02:07 PM, GSO wrote:
On 24 June 2011 13:56, Daniel J Walsh <dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
....
Well I know Chrome does not run under the sandbox. On firefox5 try to
turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
> sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent
# semodule -B
----
time->Fri Jun 24 19:03:01 2011
type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0
a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles"
exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure } for pid=11827
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for pid=11827
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh } for pid=11827
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0
a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="Xephyr" exe="/usr/bin/Xephyr"
subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure } for pid=11839
comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for pid=11839
comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh } for pid=11839
comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0
a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="start" exe="/usr/bin/python"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure } for pid=11846
comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for pid=11846
comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh } for pid=11846
comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0
a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="sandboxX.sh" exe="/bin/bash"
subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832
comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832
comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832
comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13
a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="dbus-daemon" exe="/bin/dbus-daemon"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for pid=11854
comm="dbus-daemon" name="config" dev=dm-2 ino=32330
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13
a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="dbus-launch" exe="/usr/bin/dbus-launch"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for pid=11852
comm="dbus-launch" name="firefox" dev=dm-2 ino=263286
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
chcon -t bin_t firefox
Is what it is complaining about.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk4E8KAACgkQrlYvE4MpobMoEwCgyliISRZ00ojoJwkWR/k2KdDa
Q+wAnR3qFAhPHOlNC1g2nrymTR2Ba7WC
=l9aW
-----END PGP SIGNATURE-----
4682
days inactive
4684
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
Daniel J Walsh -
GSO