Bug 1294020 - sandbox doesn't set correct security context on copied in files.
sandbox doesn't set correct security context on copied in files.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-24 00:00 EST by Josh Cogliati
Modified: 2016-10-10 13:43 EDT (History)
4 users (show)

See Also:
Fixed In Version: policycoreutils-2.5-17.fc25
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-10 13:43:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Cogliati 2015-12-24 00:00:10 EST
Description of problem:
Sandbox doesn't set the correct security context on files copied into the home directory.


Version-Release number of selected component (if applicable):
policycoreutils-python-utils-2.4-18.fc23.x86_64


How reproducible:
Everytime

Steps to Reproduce:
1. sandbox -i .bash_history -M bash
2. cat .bash_history

Actual results:
$ sandbox -i .bash_history -M bash
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ cat .bash_history 
cat: .bash_history: Permission denied
bash-4.3$ ls -Z .bash_history 
unconfined_u:object_r:user_home_t:s0 .bash_history
bash-4.3$ id -Z
unconfined_u:unconfined_r:sandbox_t:s0:c256,c270

Expected results:
The file would have permissions and security context that allowed the cat command to work.

Additional info:
On some computers I had to run 
# semodule -e sandbox
to get sandbox to work at all.
Comment 3 Josh Cogliati 2016-07-12 21:32:59 EDT
What info do you need?

Here is the current results:
$ sandbox -i .bash_history -M bash
ERROR: could not find datum for type sandbox_t
/usr/bin/sandbox: Sandbox Policy is not currently installed.
You need to install the selinux-policy-sandbox package in order to run this command


# dnf install selinux-policy-sandbox
Fedora 23 - x86_64 - Updates                    505 kB/s |  23 MB     00:47    
Last metadata expiration check: 0:00:13 ago on Tue Jul 12 19:28:09 2016.
Package selinux-policy-sandbox-3.13.1-158.15.fc23.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Comment 5 Petr Lautrbach 2016-09-15 10:45:04 EDT
The problem is in shutils.copy2() which is used to copy files into sandbox home. Since python-3.3 this function tries to preserver extended attributes together with other metadata.

I posted a patch for review upstream - https://marc.info/?l=selinux&m=147395056429929&w=2 and I'll provide a link to a testing scratch build soon.
Comment 7 Fedora Update System 2016-10-05 16:29:35 EDT
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
Comment 8 Fedora Update System 2016-10-06 16:59:07 EDT
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
Comment 9 Fedora Update System 2016-10-10 13:43:53 EDT
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.