X sandbox still broken in Fedora 20
Florian Weimer
fweimer at redhat.com
Mon Jun 9 10:49:04 UTC 2014
Running "sandbox -X -t sandbox_web_t xterm", I get this audit entries,
and the command exits without printing anything:
type=AVC msg=audit(1402310641.114:1228): avc: denied { connectto } for
pid=19943 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c38,c325
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tclass=unix_stream_socket
type=SYSCALL msg=audit(1402310641.114:1228): arch=c000003e syscall=42
success=no exit=-13 a0=0 a1=7fffa6343c70 a2=14 a3=7fffa63439d0 items=0
ppid=19934 pid=19943 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="Xephyr"
exe="/usr/bin/Xephyr"
subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c38,c325 key=(null)
Relevant package versions:
libcap-ng-0.7.4-1.fc20.x86_64
policycoreutils-python-2.2.5-4.fc20.x86_64
selinux-policy-targeted-3.12.1-166.fc20.noarch
Downgrading to libcap-ng-0.7.3-6.fc20.x86_64 fixes this for me.
Does anybody else see this? If not, what might be causing this problem?
--
Florian Weimer / Red Hat Product Security Team
More information about the selinux
mailing list