redirect stdout and stderr to different file under sandboxing in linux

Daniel J Walsh dwalsh at redhat.com
Thu May 28 18:48:46 UTC 2015 

Try

semodule -e sandbox

We disable sandbox policy by default.


On 05/28/2015 01:48 PM, Bhuvan Gupta wrote:
> Running following command gives the below AVC
> >>>sandbox ./a.out 2>err 
>
> SELinux is preventing /a.out from write access on the file .
>
> *****  Plugin leaks (86.2 confidence) suggests  
> *****************************
>
> If you want to ignore a.out trying to write access the  file, because
> you believe it should not need this access.
> Then you should report this as a bug.  
> You can generate a local policy module to dontaudit this access.
> Do
> # grep /a.out /var/log/audit/audit.log | audit2allow -D -M mypol
> # semodule -i mypol.pp
>
> *****  Plugin catchall (14.7 confidence) suggests  
> **************************
>
> If you believe that a.out should be allowed write access on the  file
> by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep a.out /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context              
>  unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
> Target Context                unconfined_u:object_r:etc_runtime_t:s0
> Target Objects                 [ file ]
> Source                        a.out
> Source Path                   /a.out
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
> 3.10.0-121.el7.x86_64
>                               #1 SMP Tue Apr 8 10:48:19 EDT 2014
> x86_64 x86_64
> Alert Count                   1
> First Seen                    2015-05-28 23:11:59 IST
> Last Seen                     2015-05-28 23:11:59 IST
> Local ID                      cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4
>
> Raw Audit Messages
> type=AVC msg=audit(1432834919.99:391): avc:  denied  { write } for
>  pid=2626 comm="a.out" path="/err" dev="dm-0" ino=736779
> scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
> tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64 syscall=execve
> success=yes exit=0 a0=330a3f0 a1=330eaa0 a2=7fff6a67fe50
> a3=7fff6a67e840 items=0 ppid=2625 pid=2626 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=a.out
> exe=/a.out subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
> key=(null)
>
> Hash: a.out,sandbox_t,etc_runtime_t,file,write
>
>
> Thanks
> Bhuvan
>
>
> On Thu, May 28, 2015 at 3:53 PM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
>     What AVC's are you seeing?
>
>     audit2allow -la
>
>
>     On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:
>>     MORE INFO
>>
>>     content of Test.cpp
>>     /#include<stdio>/
>>     / int main(void) {/
>>     /  fprintf(stderr,"error/n");/
>>     /  return 0;/
>>     / }/
>>
>>     compile it and now
>>     /./a.out /
>>     print error to console
>>
>>     /./a.out 2> err/
>>     print to err file
>>
>>     /sandbox ./a.out 2>err/
>>     nothing gets printed on console or in err file.
>>     Is sandbox is eating it up ?
>>
>>     Thanks
>>     Bhuvan
>>
>>
>>
>>
>>     On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta <bhuvangu at gmail.com
>>     <mailto:bhuvangu at gmail.com>> wrote:
>>
>>         EXTRA INFO:
>>
>>         even if i run 
>>         /sandbox ./a.out/
>>         /
>>         /
>>         Even then it doesnt print floating point error on console
>>
>>         On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta
>>         <bhuvangu at gmail.com <mailto:bhuvangu at gmail.com>> wrote:
>>
>>             Hello All,
>>
>>             I have an Test.cpp which is run under sandbox(RHEL7):
>>
>>             Test.cpp content:
>>             #include<stdio>
>>              int main(void) {
>>               int a = 1/0;
>>               return 0;
>>              }
>>
>>             compile it using gcc(4.8) Test.cpp which produces the a.out
>>             Now running a.out prints floating pointing exception on
>>             console
>>
>>             Now i thought that if i redirect stderr to a file, i
>>             expect the error to be printed in file.
>>             But that is not the case it still continue to print in
>>             console.
>>             Googling reveal that under such exception the program is
>>             terminated immediately and if you capture the stderr of
>>             bash then it should redirect.
>>             So i run
>>             /su -c ./a.out 2>err /
>>             Bingo error get printed in err file.
>>
>>             Now the MAIN GAME STARTS
>>             i want to run it under sandbox 
>>             so i run:
>>             /su -c 'sandbox ./a.out 1>out 2>err'/
>>             But there is nothing printed in err file or in console.
>>
>>             How to capture stdout and stderr under such situation ?
>>
>>
>>             Thanks
>>             Bhuvan
>>
>>
>>
>>
>>
>>     --
>>     selinux mailing list
>>     selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>>     https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150528/9e8e4254/attachment.html>

More information about the selinux mailing list