Bug 1317046 - the sandbox -i [path] command stopped working
the sandbox -i [path] command stopped working
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
23
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-11 13:55 EST by w.chimiak
Modified: 2016-10-10 13:43 EDT (History)
4 users (show)

See Also:
Fixed In Version: policycoreutils-2.5-17.fc25
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-10 13:43:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description w.chimiak 2016-03-11 13:55:59 EST
Description of problem: sandbox -i [path]
not working?  What happens is the security context is incorrectly done.


Version-Release number of selected component (if applicable):
rpm -q -f /usr/bin/sandbox shows I am using
policycoreutils-python-utils-2.4-20.fc23.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1.% sandbox -i [path]
2.ls -Zd /tmp/.sandbox_home_[whatever]
gives
unconfined_u:object_r:sandbox_file_t:s0:cxx,cyyy .
3.BUT
%ls -Z [path] is
gives
unconfined_u:object_r:mozilla_home_t:s0 [path]

Actual results:
The imported path has the wrong security context
unconfined_u:object_r:mozilla_home_t:s0 [path]

Expected results:
unconfined_u:object_r:sandbox_file_t:s0:cxx,cyyy .

Additional info:
Comment 1 Michael De La Rue 2016-06-15 15:29:31 EDT
I can reproduce this, but only for files which are not in /tmp/.  Moving files into a temporary directory on /tmp makes things work.

What did you do:
cd
sandbox -X -i myfile2.doc xdg-open myfile2.doc

What happened:
xdg-open: no permission to read file '/home/mikedlr/myfile2.doc'

What did you expect to happen:
Sandbox should open the file 

Any other information:
$ ls -Z myfile2.doc 
unconfined_u:object_r:user_home_t:s0 myfile2.doc


The audit2why output looks like:

type=AVC msg=audit(1466013139.499:35191): avc:  denied  { read } for  pid=23595 comm="xdg-open" name=4A6F62204465736372697074696F6E202D204E65744F707320456E67696E6565722E646F6378 dev="tmpfs" ino=12073273 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c4,c1012 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.


My suspicion is that this is because the files are on a tmpfs and sandbox has very limited access to files on a tmpfs.  

I think the solution is either to widen the access or have the -i option automatically change the context of files as they are copied in and out of the temporary homedir.  

In any case, this makes a number of important uses of the sandbox not work.
Comment 2 Michael De La Rue 2016-06-16 06:01:55 EDT
BTW my reproduction of this bug is for 
policycoreutils-2.4-21.fc23.x86_64

$ rpm -qi policycoreutils
Name        : policycoreutils
Version     : 2.4
Release     : 21.fc23
Architecture: x86_64
Install Date: Fri 27 May 2016 23:12:30 BST
Comment 3 Michael De La Rue 2016-06-28 09:15:10 EDT
comment to this from the selinux mailing list (part of this mail https://marc.info/?l=selinux&m=146662101919943&w=2) 


  The files passed to -i should be copied into the temporary sandbox
  directory and inherit its context, not be labeled with the context of
  the original file.  Oddly, I see different behaviors here for F23 vs
  rawhide when using e.g. sandbox -M -i /path/to/file /bin/bash and then
  ls -Z /path/to/file.

I assume, based on that, there's a bug in Fedora 23 SELinux policy?  

This is also reported upstream at 

  https://github.com/SELinuxProject/selinux/issues/16
Comment 4 Fedora Update System 2016-10-05 16:29:41 EDT
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
Comment 5 Fedora Update System 2016-10-06 16:59:12 EDT
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef
Comment 6 Fedora Update System 2016-10-10 13:43:59 EDT
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.