Flash plugin 0-day vulnerability in the wild
Andrew Lutomirski
luto at mit.edu
Fri Jan 23 16:44:03 UTC 2015
On Fri, Jan 23, 2015 at 8:18 AM, Matthias Runge
<mrunge at matthias-runge.de> wrote:
> On 23/01/15 16:59, Andrew Lutomirski wrote:
>
>>>
>>> sandbox -X will also add more protection.
>>
>> Unless I'm mistaken, sandbox -X hasn't worked in almost a year.
>>
> I gave it a try;
>
> sandbox -X
> /usr/bin/sandbox:
> /usr/sbin/seunshare is required for the action you want to perform.
>
>
> Sadly, a naive (and not so naive) dnf reporequery, repoquery and yum
> search did not show the right dep.
>
> Wild guessing solved it for me:
> dnf install policycoreutils-sandbox
>
> And it works (for me) now.
>
I'm confused. I thought that
https://bugzilla.redhat.com/show_bug.cgi?id=1103622 affected everyone.
For me:
$ sandbox echo true
true
$ sandbox -X xterm
[nothing happens]
My logs end up full of:
[149118.893566] audit: type=1400 audit(1422030456.097:40): avc:
denied { connectto } for pid=18971 comm="Xephyr"
path=002F746D702F2E5831312D756E69782F5830
scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c87,c567
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0
[149123.720019] audit: type=1400 audit(1422030460.929:41): avc:
denied { connectto } for pid=18995 comm="Xephyr"
path=002F746D702F2E5831312D756E69782F5830
scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c77,c197
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0
This is true even on 3.18 kernels, which have "selinux: Permit bounded
transitions under NO_NEW_PRIVS or NOSUID.", which was intended to give
the selinux policy an extra way out of the mess that caused this
problem in the first place.
--Andy
More information about the devel
mailing list