Bug 1294020 - sandbox doesn't set correct security context on copied in files.
Summary: sandbox doesn't set correct security context on copied in files.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-24 05:00 UTC by Josh Cogliati
Modified: 2016-10-10 17:43 UTC (History)
4 users (show)

Fixed In Version: policycoreutils-2.5-17.fc25
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-10 17:43:53 UTC


Attachments (Terms of Use)

Description Josh Cogliati 2015-12-24 05:00:10 UTC
Description of problem:
Sandbox doesn't set the correct security context on files copied into the home directory.


Version-Release number of selected component (if applicable):
policycoreutils-python-utils-2.4-18.fc23.x86_64


How reproducible:
Everytime

Steps to Reproduce:
1. sandbox -i .bash_history -M bash
2. cat .bash_history

Actual results:
$ sandbox -i .bash_history -M bash
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ cat .bash_history 
cat: .bash_history: Permission denied
bash-4.3$ ls -Z .bash_history 
unconfined_u:object_r:user_home_t:s0 .bash_history
bash-4.3$ id -Z
unconfined_u:unconfined_r:sandbox_t:s0:c256,c270

Expected results:
The file would have permissions and security context that allowed the cat command to work.

Additional info:
On some computers I had to run 
# semodule -e sandbox
to get sandbox to work at all.

Comment 3 Josh Cogliati 2016-07-13 01:32:59 UTC
What info do you need?

Here is the current results:
$ sandbox -i .bash_history -M bash
ERROR: could not find datum for type sandbox_t
/usr/bin/sandbox: Sandbox Policy is not currently installed.
You need to install the selinux-policy-sandbox package in order to run this command


# dnf install selinux-policy-sandbox
Fedora 23 - x86_64 - Updates                    505 kB/s |  23 MB     00:47    
Last metadata expiration check: 0:00:13 ago on Tue Jul 12 19:28:09 2016.
Package selinux-policy-sandbox-3.13.1-158.15.fc23.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!

Comment 5 Petr Lautrbach 2016-09-15 14:45:04 UTC
The problem is in shutils.copy2() which is used to copy files into sandbox home. Since python-3.3 this function tries to preserver extended attributes together with other metadata.

I posted a patch for review upstream - https://marc.info/?l=selinux&m=147395056429929&w=2 and I'll provide a link to a testing scratch build soon.

Comment 7 Fedora Update System 2016-10-05 20:29:35 UTC
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef

Comment 8 Fedora Update System 2016-10-06 20:59:07 UTC
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef

Comment 9 Fedora Update System 2016-10-10 17:43:53 UTC
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.