FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-23-2011, 10:25 PM
GSO
 
Default Fwd: Is it possible to run chromium in a SELinux sandbox?

On 23 June 2011 13:22, Daniel J Walsh <dwalsh@redhat.com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



On 06/23/2011 06:29 AM, GSO wrote:

> This thread went offline, however to bring things back online, it

> appears at least the binary download (running on SL6) of Firefox 5 just

> released does not work in the sandbox either. *The SELinux audit

> messages are:

>

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission audit_access in

> class dir not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission execmod in class

> dir not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission audit_access in

> class lnk_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission open in class

> lnk_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission execmod in class

> lnk_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission audit_access in

> class chr_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission audit_access in

> class blk_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission execmod in class

> blk_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission audit_access in

> class sock_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission execmod in class

> sock_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission audit_access in

> class fifo_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission execmod in class

> fifo_file not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: *Permission syslog in class

> capability2 not defined in policy.

> Jun 22 21:40:22 localhost kernel: SELinux: the above unknown classes and

> permissions will be allowed

> Jun 22 21:40:24 localhost dbus: avc: *received policyload notice (seqno=5)

> Jun 22 21:40:24 localhost dbus: avc: *received policyload notice (seqno=5)

> Jun 22 21:40:24 localhost dbus: avc: *received policyload notice (seqno=5)

> Jun 22 21:40:24 localhost dbus: avc: *received policyload notice (seqno=5)

> Jun 22 21:40:24 localhost dbus: avc: *received policyload notice (seqno=5)

> Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration

>

> The sandbox window starts up but crashes before any sign of FF

> materialises, works fine in permissive mode or unsandboxed otherwise.

> *I've put the FF binaries in /opt.

>

> On 19 June 2011 17:53, Dominick Grift <domg472@gmail.com

> <mailto:domg472@gmail.com>> wrote:

>

>

>

> * * On Sun, 2011-06-19 at 13:57 +0100, GSO wrote:

> * * > The default build using the google repos results in chromium

> * * grinding to a

> * * > halt with a black window when run in a sandbox. *Is it technically

> * * possible

> * * > to run chrome in a sandbox, would building from source fix this at

> * * all?

>

> * * I do not think it will work since both sandbox an chrome use namespace

> * * and chrome cant run if sandbox already runs in a namespace (or something

> * * along those lines is my understanding if this issue)

>

> * * > --

> * * > selinux mailing list

> * * > selinux@lists.fedoraproject.org

> * * <mailto:selinux@lists.fedoraproject.org>

> * * > https://admin.fedoraproject.org/mailman/listinfo/selinux

>

>

>

>

> --

> selinux mailing list

> selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux



I looked for firefox5 x86_64 and did not quickly find it, if you know

where there is a link, I will look into what is going on, otherwise I

will wait until Fedora Packages it. *It does seem strange that you are

getting those



*Permission audit_access in class sock_file not defined in policy.



errors, What OS are you using? *What kernel?


That was Scientific Linux 6, I was also running Tor (through openvpn), so that might have complicated matters.* I had also been messing around with Tor to get it to send all net traffic through tor, and the install was tainted at that point (I never was able to get that to work, similar SELInux audit errors to the above funnily enough).* I had also built and installed the latest kernel as I have to do to get my webcams working (2 cams I have do not work with the default RHEL6 kernel).



However I've just installed the Fedora security spin, should be an untainted install (I am 'under attack' here!), Firefox 5 likewise crashes, though with no SELinux audit messages in /var/log/messages as far as I can see (just a few 'received policyload notice' lines).



Likewise chromium grinds to a halt at the usual black background, no SELinux audit messages again, not even the 'policyload' notice ones (assuming I've got it set up properly to report them).




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-24-2011, 12:56 PM
Daniel J Walsh
 
Default Fwd: Is it possible to run chromium in a SELinux sandbox?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 06:25 PM, GSO wrote:
> On 23 June 2011 13:22, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/23/2011 06:29 AM, GSO wrote:
> > This thread went offline, however to bring things back online, it
> > appears at least the binary download (running on SL6) of Firefox 5
> just
> > released does not work in the sandbox either. The SELinux audit
> > messages are:
> >
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> > class dir not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
> class
> > dir not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> > class lnk_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission open in class
> > lnk_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
> class
> > lnk_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> > class chr_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> > class blk_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
> class
> > blk_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> > class sock_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
> class
> > sock_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission audit_access in
> > class fifo_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission execmod in
> class
> > fifo_file not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: Permission syslog in class
> > capability2 not defined in policy.
> > Jun 22 21:40:22 localhost kernel: SELinux: the above unknown
> classes and
> > permissions will be allowed
> > Jun 22 21:40:24 localhost dbus: avc: received policyload notice
> (seqno=5)
> > Jun 22 21:40:24 localhost dbus: avc: received policyload notice
> (seqno=5)
> > Jun 22 21:40:24 localhost dbus: avc: received policyload notice
> (seqno=5)
> > Jun 22 21:40:24 localhost dbus: avc: received policyload notice
> (seqno=5)
> > Jun 22 21:40:24 localhost dbus: avc: received policyload notice
> (seqno=5)
> > Jun 22 21:40:24 localhost dbus: [system] Reloaded configuration
> >
> > The sandbox window starts up but crashes before any sign of FF
> > materialises, works fine in permissive mode or unsandboxed otherwise.
> > I've put the FF binaries in /opt.
> >
> > On 19 June 2011 17:53, Dominick Grift <domg472@gmail.com
> <mailto:domg472@gmail.com>
> > <mailto:domg472@gmail.com <mailto:domg472@gmail.com>>> wrote:
> >
> >
> >
> > On Sun, 2011-06-19 at 13:57 +0100, GSO wrote:
> > > The default build using the google repos results in chromium
> > grinding to a
> > > halt with a black window when run in a sandbox. Is it
> technically
> > possible
> > > to run chrome in a sandbox, would building from source fix
> this at
> > all?
> >
> > I do not think it will work since both sandbox an chrome use
> namespace
> > and chrome cant run if sandbox already runs in a namespace (or
> something
> > along those lines is my understanding if this issue)
> >
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> > <mailto:selinux@lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>>
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> I looked for firefox5 x86_64 and did not quickly find it, if you know
> where there is a link, I will look into what is going on, otherwise I
> will wait until Fedora Packages it. It does seem strange that you are
> getting those
>
> Permission audit_access in class sock_file not defined in policy.
>
> errors, What OS are you using? What kernel?
>
>
> That was Scientific Linux 6, I was also running Tor (through openvpn),
> so that might have complicated matters. I had also been messing around
> with Tor to get it to send all net traffic through tor, and the install
> was tainted at that point (I never was able to get that to work, similar
> SELInux audit errors to the above funnily enough). I had also built and
> installed the latest kernel as I have to do to get my webcams working (2
> cams I have do not work with the default RHEL6 kernel).
>
> However I've just installed the Fedora security spin, should be an
> untainted install (I am 'under attack' here!), Firefox 5 likewise
> crashes, though with no SELinux audit messages in /var/log/messages as
> far as I can see (just a few 'received policyload notice' lines).
>
> Likewise chromium grinds to a halt at the usual black background, no
> SELinux audit messages again, not even the 'policyload' notice ones
> (assuming I've got it set up properly to report them).
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Well I know Chrome does not run under the sandbox. On firefox5 try to
turn off dontaudit rules and see if it generates any AVC messages

# semodule -DB
> sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent
# semodule -B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4EiYsACgkQrlYvE4MpobPiHQCeN8yaz5s1ha T1OnwietbvFVAJ
Q6IAoIRkXxwPRVbQlR7J0phZAfm3prFS
=Pmm6
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-24-2011, 06:07 PM
GSO
 
Default Fwd: Is it possible to run chromium in a SELinux sandbox?

On 24 June 2011 13:56, Daniel J Walsh <dwalsh@redhat.com> wrote:

....

Well I know Chrome does not run under the sandbox. *On firefox5 try to

turn off dontaudit rules and see if it generates any AVC messages



# semodule -DB

> sandbox -X -t sandbox_web_t -W metacity firefox5

# ausearch -m avc -ts recent

# semodule -B

----
time->Fri Jun 24 19:03:01 2011
type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr" exe="/usr/bin/Xephyr" subj=unconfined_u:unconfined_r:sandbox_xserver_t:s 0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver _t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver _t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver _t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="sandboxX.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c3 96,c934 key=(null)
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330 scontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tcontext=system_ubject_r:selinux_config_t:s0 tclass=file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286 scontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tcontext=unconfined_ubject_r:usr_t:s0 tclass=file



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-24-2011, 08:16 PM
Daniel J Walsh
 
Default Fwd: Is it possible to run chromium in a SELinux sandbox?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/24/2011 02:07 PM, GSO wrote:
>
> On 24 June 2011 13:56, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> ....
> Well I know Chrome does not run under the sandbox. On firefox5 try to
> turn off dontaudit rules and see if it generates any AVC messages
>
> # semodule -DB
> > sandbox -X -t sandbox_web_t -W metacity firefox5
> # ausearch -m avc -ts recent
> # semodule -B
>
> ----
> time->Fri Jun 24 19:03:01 2011
> type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh } for pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
> ----
> time->Fri Jun 24 19:04:59 2011
> type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr" exe="/usr/bin/Xephyr" subj=unconfined_u:unconfined_r:sandbox_xserver_t:s 0:c396,c934 key=(null)
> type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver _t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver _t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh } for pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver _t:s0:c396,c934 tclass=process
> ----
> time->Fri Jun 24 19:05:00 2011
> type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh } for pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tclass=process
> ----
> time->Fri Jun 24 19:04:59 2011
> type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="sandboxX.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c3 96,c934 key=(null)
> type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
> type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
> type=AVC msg=audit(1308938699.592:1713): avc: denied { read write } for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s 0:c396,c934 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
> ----
> time->Fri Jun 24 19:05:00 2011
> type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330 scontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tcontext=system_ubject_r:selinux_config_t:s0 tclass=file
> ----
> time->Fri Jun 24 19:05:00 2011
> type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286 scontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c396,c934 tcontext=unconfined_ubject_r:usr_t:s0 tclass=file
>
>
chcon -t bin_t firefox

Is what it is complaining about.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4E8KAACgkQrlYvE4MpobMoEwCgyliISRZ00o joJwkWR/k2KdDa
Q+wAnR3qFAhPHOlNC1g2nrymTR2Ba7WC
=l9aW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 03:57 PM
GSO
 
Default Fwd: Is it possible to run chromium in a SELinux sandbox?

On 24 June 2011 20:16, Daniel J Walsh <dwalsh@redhat.com> wrote:

...

>

chcon -t bin_t firefox



Is what it is complaining about.


OK Firefox 5 is now available as a fedora update, no issue at this point

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 11:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org