Description of problem: sudo setenforce 0 sandbox -X -H /tmp/sandbox firefox SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed getattr access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 Target Context system_u:object_r:rsync_exec_t:s0 Target Objects [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.47-2.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-158.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.14.3-200.fc20.x86_64 #1 SMP Tue May 6 19:00:18 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-05-14 14:12:05 CST Last Seen 2014-05-14 14:12:05 CST Local ID 56643732-60f7-4881-b60b-f236a197820f Raw Audit Messages type=AVC msg=audit(1400042525.53:514): avc: denied { getattr } for pid=4924 comm="sh" path="/usr/bin/rsync" dev="dm-2" ino=187666 scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file type=SYSCALL msg=audit(1400042525.53:514): arch=x86_64 syscall=stat success=no exit=EACCES a0=26055d0 a1=7fff5aec9b90 a2=7fff5aec9b90 a3=8 items=0 ppid=4923 pid=4924 auid=1343600009 uid=1343600009 gid=1343600009 euid=1343600009 suid=1343600009 fsuid=1343600009 egid=1343600009 sgid=1343600009 fsgid=1343600009 tty=pts0 ses=1 comm=sh exe=/usr/bin/bash subj=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 key=(null) Hash: sh,staff_seunshare_t,rsync_exec_t,file,getattr Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.14.3-200.fc20.x86_64 type: libreport
ba3b89d23b1237aa452bf49e96cce0e5ab553cd5 fixes this in git.
selinux-policy-3.12.1-166.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-166.fc20
Package selinux-policy-3.12.1-166.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-166.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6584/selinux-policy-3.12.1-166.fc20 then log in and leave karma (feedback).
When set to permissive, I see: ---- time->Thu May 22 09:14:51 2014 type=PATH msg=audit(1400715891.272:55852): item=1 name=(null) inode=20151643 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=PATH msg=audit(1400715891.272:55852): item=0 name="/usr/bin/rsync" inode=187666 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rsync_exec_t:s0 nametype=NORMAL type=CWD msg=audit(1400715891.272:55852): cwd="/home/william" type=EXECVE msg=audit(1400715891.272:55852): argc=6 a0="/usr/bin/rsync" a1="--exclude=.X11-unix" a2="-utrlHDq" a3="--delete" a4="/tmp/.sandbox-william-91o1lp/" a5="/tmp/.sandbox_tmp_79jk6N/" type=SYSCALL msg=audit(1400715891.272:55852): arch=c000003e syscall=59 success=yes exit=0 a0=25745d0 a1=2574a30 a2=2574740 a3=8 items=2 ppid=20627 pid=20628 auid=1343600009 uid=1343600009 gid=1343600009 euid=1343600009 suid=1343600009 fsuid=1343600009 egid=1343600009 sgid=1343600009 fsgid=1343600009 tty=pts1 ses=1 comm="rsync" exe="/usr/bin/rsync" subj=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1400715891.272:55852): avc: denied { execute_no_trans } for pid=20628 comm="sh" path="/usr/bin/rsync" dev="dm-2" ino=187666 scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file type=AVC msg=audit(1400715891.272:55852): avc: denied { read open } for pid=20628 comm="sh" path="/usr/bin/rsync" dev="dm-2" ino=187666 scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file type=AVC msg=audit(1400715891.272:55852): avc: denied { execute } for pid=20628 comm="sh" name="rsync" dev="dm-2" ino=187666 scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file And in addition: [william@maddy 9:12] /home/william INSERT> mkdir /tmp/sandbox [william@maddy 9:12] /home/william INSERT> sandbox -X -H /tmp/sandbox firefox Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted This is post a restorecon on /usr and /tmp
selinux-policy-3.12.1-166.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.