Bug 691783

Summary: running various programs in sandbox
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0CC: dwalsh, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-31 19:48:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-03-29 13:12:31 UTC 
Each of the following command lines produces at least 1 AVC or USER_AVC when executed by an ordinary user on RHEL-6.0 machine. I would like to ask which of these AVCs are expected/desirable ? Some kind of matrix with expected results would be appreciated.

 * sandbox -M ksh
 * sandbox -M tcsh
 * sandbox -M zsh
 * sandbox -M ping 127.0.0.1
 * sandbox -M ping6 ::1
 * sandbox -M traceroute 127.0.0.1
 * sandbox -M traceroute6 ::1
 * sandbox -X xterm -e 'top -d1'
 * sandbox -X xterm -e 'ps ax'
 * sandbox -M dmesg
 * sandbox -M quota -ugv
 * sandbox -X xterm -e df
 * sandbox -X xterm -e mount
 * sandbox -X xterm -e w
 * sandbox -X xterm -e who
 * sandbox -X xterm -e seinfo
 * sandbox -X sealert
 * sandbox -X xterm -e 'udisks --dump'

Version-Release number of selected component (if applicable):
policycoreutils-2.0.83-19.7.el6_0.i686
policycoreutils-debuginfo-2.0.83-19.7.el6_0.i686
policycoreutils-gui-2.0.83-19.7.el6_0.i686
policycoreutils-newrole-2.0.83-19.7.el6_0.i686
policycoreutils-python-2.0.83-19.7.el6_0.i686
policycoreutils-sandbox-2.0.83-19.7.el6_0.i686
selinux-policy-3.7.19-54.el6_0.5.noarch
selinux-policy-doc-3.7.19-54.el6_0.5.noarch
selinux-policy-minimum-3.7.19-54.el6_0.5.noarch
selinux-policy-mls-3.7.19-54.el6_0.5.noarch
selinux-policy-targeted-3.7.19-54.el6_0.5.noarch
Comment 1 Daniel Walsh 2011-03-29 17:54:18 UTC 
sandbox -M should not allow open to much of anything. The idea here is to allow stdin/stout and no opens.

sandbox -X xterm should be a very confined app that should not be able to look at much of the running system.  So commands like ps and top should blow up.


sandbox -X should be more about running apps on the desktop.
Comment 2 Daniel Walsh 2011-03-31 19:48:33 UTC 
Open if you believe any of these should be allowed in the default sandbox.
Comment 3 Daniel Walsh 2011-03-31 19:48:48 UTC 
Or dontaudited