redirect stdout and stderr to different file under sandboxing in linux

Bhuvan Gupta bhuvangu at gmail.com
Thu May 28 17:48:05 UTC 2015 

Running following command gives the below AVC
>>>sandbox ./a.out 2>err

SELinux is preventing /a.out from write access on the file .

*****  Plugin leaks (86.2 confidence) suggests
*****************************

If you want to ignore a.out trying to write access the  file, because you
believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /a.out /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests
**************************

If you believe that a.out should be allowed write access on the  file by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep a.out /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context
 unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
Target Context                unconfined_u:object_r:etc_runtime_t:s0
Target Objects                 [ file ]
Source                        a.out
Source Path                   /a.out
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
3.10.0-121.el7.x86_64
                              #1 SMP Tue Apr 8 10:48:19 EDT 2014 x86_64
x86_64
Alert Count                   1
First Seen                    2015-05-28 23:11:59 IST
Last Seen                     2015-05-28 23:11:59 IST
Local ID                      cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4

Raw Audit Messages
type=AVC msg=audit(1432834919.99:391): avc:  denied  { write } for
 pid=2626 comm="a.out" path="/err" dev="dm-0" ino=736779
scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file


type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64 syscall=execve
success=yes exit=0 a0=330a3f0 a1=330eaa0 a2=7fff6a67fe50 a3=7fff6a67e840
items=0 ppid=2625 pid=2626 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 ses=1 comm=a.out exe=/a.out
subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597 key=(null)

Hash: a.out,sandbox_t,etc_runtime_t,file,write


Thanks
Bhuvan


On Thu, May 28, 2015 at 3:53 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

>  What AVC's are you seeing?
>
> audit2allow -la
>
>
> On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:
>
> MORE INFO
>
>  content of Test.cpp
>  *#include<stdio>*
> * int main(void) {*
> *  fprintf(stderr,"error/n");*
> *  return 0;*
> * }*
>
>  compile it and now
> *./a.out *
> print error to console
>
>  *./a.out 2> err*
> print to err file
>
>  *sandbox ./a.out 2>err*
> nothing gets printed on console or in err file.
> Is sandbox is eating it up ?
>
>  Thanks
> Bhuvan
>
>
>
>
> On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:
>
>> EXTRA INFO:
>>
>>  even if i run
>> *sandbox ./a.out*
>>
>>  Even then it doesnt print floating point error on console
>>
>> On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta <bhuvangu at gmail.com> wrote:
>>
>>>  Hello All,
>>>
>>>  I have an Test.cpp which is run under sandbox(RHEL7):
>>>
>>>  Test.cpp content:
>>> #include<stdio>
>>>  int main(void) {
>>>   int a = 1/0;
>>>   return 0;
>>>  }
>>>
>>>  compile it using gcc(4.8) Test.cpp which produces the a.out
>>> Now running a.out prints floating pointing exception on console
>>>
>>>  Now i thought that if i redirect stderr to a file, i expect the error
>>> to be printed in file.
>>> But that is not the case it still continue to print in console.
>>> Googling reveal that under such exception the program is terminated
>>> immediately and if you capture the stderr of bash then it should redirect.
>>> So i run
>>> *su -c ./a.out 2>err *
>>> Bingo error get printed in err file.
>>>
>>>  Now the MAIN GAME STARTS
>>> i want to run it under sandbox
>>> so i run:
>>> *su -c 'sandbox ./a.out 1>out 2>err'*
>>> But there is nothing printed in err file or in console.
>>>
>>>  How to capture stdout and stderr under such situation ?
>>>
>>>
>>>  Thanks
>>>  Bhuvan
>>>
>>
>>
>
>
> --
> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150528/f02e25ea/attachment.html>

More information about the selinux mailing list