Description of problem: Sandbox doesn't set the correct security context on files copied into the home directory. Version-Release number of selected component (if applicable): policycoreutils-python-utils-2.4-18.fc23.x86_64 How reproducible: Everytime Steps to Reproduce: 1. sandbox -i .bash_history -M bash 2. cat .bash_history Actual results: $ sandbox -i .bash_history -M bash bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell bash-4.3$ cat .bash_history cat: .bash_history: Permission denied bash-4.3$ ls -Z .bash_history unconfined_u:object_r:user_home_t:s0 .bash_history bash-4.3$ id -Z unconfined_u:unconfined_r:sandbox_t:s0:c256,c270 Expected results: The file would have permissions and security context that allowed the cat command to work. Additional info: On some computers I had to run # semodule -e sandbox to get sandbox to work at all.
What info do you need? Here is the current results: $ sandbox -i .bash_history -M bash ERROR: could not find datum for type sandbox_t /usr/bin/sandbox: Sandbox Policy is not currently installed. You need to install the selinux-policy-sandbox package in order to run this command # dnf install selinux-policy-sandbox Fedora 23 - x86_64 - Updates 505 kB/s | 23 MB 00:47 Last metadata expiration check: 0:00:13 ago on Tue Jul 12 19:28:09 2016. Package selinux-policy-sandbox-3.13.1-158.15.fc23.noarch is already installed, skipping. Dependencies resolved. Nothing to do. Complete!
The problem is in shutils.copy2() which is used to copy files into sandbox home. Since python-3.3 this function tries to preserver extended attributes together with other metadata. I posted a patch for review upstream - https://marc.info/?l=selinux&m=147395056429929&w=2 and I'll provide a link to a testing scratch build soon.
http://koji.fedoraproject.org/koji/taskinfo?taskID=15643536
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.