-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/24/2011 02:07 PM, GSO wrote:
On 24 June 2011 13:56, Daniel J Walsh <dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
....
Well I know Chrome does not run under the sandbox. On firefox5 try to
turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
> sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent
# semodule -B
----
time->Fri Jun 24 19:03:01 2011
type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0
a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles"
exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure } for pid=11827
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for pid=11827
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh } for pid=11827
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0
a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="Xephyr" exe="/usr/bin/Xephyr"
subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure } for pid=11839
comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for pid=11839
comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh } for pid=11839
comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0
a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="start" exe="/usr/bin/python"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure } for pid=11846
comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for pid=11846
comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh } for pid=11846
comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0
a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="sandboxX.sh" exe="/bin/bash"
subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832
comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832
comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832
comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13
a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="dbus-daemon" exe="/bin/dbus-daemon"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for pid=11854
comm="dbus-daemon" name="config" dev=dm-2 ino=32330
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13
a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="dbus-launch" exe="/usr/bin/dbus-launch"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for pid=11852
comm="dbus-launch" name="firefox" dev=dm-2 ino=263286
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
chcon -t bin_t firefox
Is what it is complaining about.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk4E8KAACgkQrlYvE4MpobMoEwCgyliISRZ00ojoJwkWR/k2KdDa
Q+wAnR3qFAhPHOlNC1g2nrymTR2Ba7WC
=l9aW
-----END PGP SIGNATURE-----