redirect stdout and stderr to different file under sandboxing in linux
Daniel J Walsh
dwalsh at redhat.com
Thu May 28 20:12:46 UTC 2015
Are you doing this via an init script and creating content in /etc? or /?
Try to create the content in /tmp
Or precreate the content with a label other then etc_runtime_t.
On 05/28/2015 03:13 PM, Bhuvan Gupta wrote:
> Yep did that no change in behaviour.
>
> On Fri, May 29, 2015 at 12:18 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
> Try
>
> semodule -e sandbox
>
> We disable sandbox policy by default.
>
>
>
> On 05/28/2015 01:48 PM, Bhuvan Gupta wrote:
>> Running following command gives the below AVC
>> >>>sandbox ./a.out 2>err
>>
>> SELinux is preventing /a.out from write access on the file .
>>
>> ***** Plugin leaks (86.2 confidence) suggests
>> *****************************
>>
>> If you want to ignore a.out trying to write access the file,
>> because you believe it should not need this access.
>> Then you should report this as a bug.
>> You can generate a local policy module to dontaudit this access.
>> Do
>> # grep /a.out /var/log/audit/audit.log | audit2allow -D -M mypol
>> # semodule -i mypol.pp
>>
>> ***** Plugin catchall (14.7 confidence) suggests
>> **************************
>>
>> If you believe that a.out should be allowed write access on the
>> file by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep a.out /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>> Additional Information:
>> Source Context
>> unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
>> Target Context unconfined_u:object_r:etc_runtime_t:s0
>> Target Objects [ file ]
>> Source a.out
>> Source Path /a.out
>> Port <Unknown>
>> Host localhost.localdomain
>> Source RPM Packages
>> Target RPM Packages
>> Policy RPM selinux-policy-3.13.1-23.el7.noarch
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Host Name localhost.localdomain
>> Platform Linux localhost.localdomain
>> 3.10.0-121.el7.x86_64
>> #1 SMP Tue Apr 8 10:48:19 EDT 2014
>> x86_64 x86_64
>> Alert Count 1
>> First Seen 2015-05-28 23:11:59 IST
>> Last Seen 2015-05-28 23:11:59 IST
>> Local ID cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1432834919.99:391): avc: denied { write }
>> for pid=2626 comm="a.out" path="/err" dev="dm-0" ino=736779
>> scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
>> tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file
>>
>>
>> type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64
>> syscall=execve success=yes exit=0 a0=330a3f0 a1=330eaa0
>> a2=7fff6a67fe50 a3=7fff6a67e840 items=0 ppid=2625 pid=2626 auid=0
>> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
>> ses=1 comm=a.out exe=/a.out
>> subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597 key=(null)
>>
>> Hash: a.out,sandbox_t,etc_runtime_t,file,write
>>
>>
>> Thanks
>> Bhuvan
>>
>>
>> On Thu, May 28, 2015 at 3:53 PM, Daniel J Walsh
>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>>
>> What AVC's are you seeing?
>>
>> audit2allow -la
>>
>>
>> On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:
>>> MORE INFO
>>>
>>> content of Test.cpp
>>> /#include<stdio>/
>>> / int main(void) {/
>>> / fprintf(stderr,"error/n");/
>>> / return 0;/
>>> / }/
>>>
>>> compile it and now
>>> /./a.out /
>>> print error to console
>>>
>>> /./a.out 2> err/
>>> print to err file
>>>
>>> /sandbox ./a.out 2>err/
>>> nothing gets printed on console or in err file.
>>> Is sandbox is eating it up ?
>>>
>>> Thanks
>>> Bhuvan
>>>
>>>
>>>
>>>
>>> On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta
>>> <bhuvangu at gmail.com <mailto:bhuvangu at gmail.com>> wrote:
>>>
>>> EXTRA INFO:
>>>
>>> even if i run
>>> /sandbox ./a.out/
>>> /
>>> /
>>> Even then it doesnt print floating point error on console
>>>
>>> On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta
>>> <bhuvangu at gmail.com <mailto:bhuvangu at gmail.com>> wrote:
>>>
>>> Hello All,
>>>
>>> I have an Test.cpp which is run under sandbox(RHEL7):
>>>
>>> Test.cpp content:
>>> #include<stdio>
>>> int main(void) {
>>> int a = 1/0;
>>> return 0;
>>> }
>>>
>>> compile it using gcc(4.8) Test.cpp which produces
>>> the a.out
>>> Now running a.out prints floating pointing exception
>>> on console
>>>
>>> Now i thought that if i redirect stderr to a file, i
>>> expect the error to be printed in file.
>>> But that is not the case it still continue to print
>>> in console.
>>> Googling reveal that under such exception the
>>> program is terminated immediately and if you capture
>>> the stderr of bash then it should redirect.
>>> So i run
>>> /su -c ./a.out 2>err /
>>> Bingo error get printed in err file.
>>>
>>> Now the MAIN GAME STARTS
>>> i want to run it under sandbox
>>> so i run:
>>> /su -c 'sandbox ./a.out 1>out 2>err'/
>>> But there is nothing printed in err file or in console.
>>>
>>> How to capture stdout and stderr under such situation ?
>>>
>>>
>>> Thanks
>>> Bhuvan
>>>
>>>
>>>
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150528/f84568ab/attachment.html>
More information about the selinux
mailing list