libcap-ng 0.7.4-1 reached F19 -> now sandboxes are also broken in F19
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 5 12:37:00 UTC 2014
On 08/02/2014 05:57 AM, Robert Horovitz wrote:
>> Why is libcap-ng not postponed until #1103622 is fixed? (which probably
>> won't be tomorrow)
>>
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1103622
>
> Over a month later sandboxes are still broken.
>
> Will this be fixed sometime this year or is the SELinux sandbox feature
> dead for real?
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
There is a change to the kernel that is making its way upstream that
should allow us to fix the feature.
Basically right now, a file to libaudit forces us to turn off the
ability for the sandboxed apps to run setuid programs, this also causes
the kernel to prevent SELinux from execute/transition. We have a patch
to the kernel that will allow processes to execute/transition to a
different domain even if setuid is blocked, IFF the app is allowed to
transition internally.
Once this is enabled we can change the policy to allow transitioning to
work again.
More information about the selinux
mailing list