Bug 952621

Summary: sandbox and sandbox_net_t/sandbox_web_t types don't work
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Hostinsky <bman>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, lnovich, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-210.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 10:22:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Hostinsky 2013-04-16 10:29:18 UTC 
Description of problem:

I have issues to run sandboxed apps in sandbox_net_t (and sandbox_web_t).

When running under "Targetted" SELinux mode I get no output:

$ sandbox -t sandbox_net_t id -Z
$

When I set set "Permissive mode, I get:

$ sandbox -t sandbox_net_t id -Z
unconfined_u:unconfined_r:sandbox_net_t:s0:c71,c219
$

When running in Targetted mode with sandbox_t it works as expected:

$ sandbox -t sandbox_t id -Z
unconfined_u:unconfined_r:sandbox_t:s0:c312,c1013


Version-Release number of selected component (if applicable):

Latest RHEL 6.4 with all updates installed

How reproducible:

always reproducible

Steps to Reproduce:

$ sudo setenforce 1
$ sandbox -t sandbox_net_t id -Z
$ sudo setenforce 0
$ sandbox -t sandbox_net_t id -Z
unconfined_u:unconfined_r:sandbox_net_t:s0:c595,c720
  
Actual results:

When Enforcing enabled, running under sandbox_net_t does nothing.
When Permissive enabled, runs as expected.

Expected results:

App should run normally in sandbox_net_t when in Enforcing mode/

Additional info:

- I am not using X sandboxing. I want to sandbox console app with network capabilties.

- No SELinux AVC is generated when running id -Z
Comment 1 Milos Malik 2013-04-16 12:24:26 UTC 
The same problem appears when running "sandbox -t sandbox_min_t id -Z". SELinux policy contains dontaudit rules which hide the AVCs. Here are the AVCs which appear after disabling dontaudit rules:
----
type=PATH msg=audit(04/16/2013 14:17:57.630:54) : item=1 name=(null) inode=1816 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(04/16/2013 14:17:57.630:54) : item=0 name=/usr/bin/id inode=136272 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(04/16/2013 14:17:57.630:54) :  cwd=/home/pas 
type=EXECVE msg=audit(04/16/2013 14:17:57.630:54) : argc=2 a0=/usr/bin/id a1=-Z 
type=SYSCALL msg=audit(04/16/2013 14:17:57.630:54) : arch=i386 syscall=execve success=yes exit=0 a0=953bfd0 a1=9540880 a2=bfb797b4 a3=2 items=2 ppid=1358 pid=1359 auid=pas uid=pas gid=pas euid=pas suid=pas fsuid=pas egid=pas sgid=pas fsgid=pas tty=(none) ses=2 comm=id exe=/usr/bin/id subj=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 key=(null) 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id path=/dev/tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id path=/dev/tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id path=/dev/tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id name=tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
----
Comment 2 Daniel Walsh 2013-04-16 20:37:19 UTC 
I guess those are ok to add.

Just realize that those type are intended to be used with sandbox -X not regular sandbox.

sandbox_t is allowed to use all file descriptors leaked into it, while 
sandbox_x_t, sandbox_net_t ... Are used for sandboxing desktop apps.

5bf878c73e07a283ca5b28a4a8814aa73bae150a fixes this in git.
Comment 3 Miroslav Hostinsky 2013-04-16 20:49:20 UTC 
Does this mean, that those types (sandbox_x_t, sandbox_net_t) will be supported also with console apps?

Sorry, I am unable to view that GIT commit to review it myself...
Comment 4 Daniel Walsh 2013-04-16 21:34:28 UTC 
Well they should work with the terminal but they may or maynot have the access you intend.

For example

cat RANDOMPATH/topsecret | semanage -t sandbox_net_t FILTER > PATHTORANDOM/unclassified

Will probably not work.

But 
sandox -t sandbox_net_t nc www.redhat.com 80

Should work.
Comment 11 errata-xmlrpc 2013-11-21 10:22:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html