Bug 1317046 - the sandbox -i [path] command stopped working
Summary: the sandbox -i [path] command stopped working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 23
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Petr Lautrbach 👨
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-11 18:55 UTC by w.chimiak
Modified: 2016-10-10 17:43 UTC (History)
4 users (show)

Fixed In Version: policycoreutils-2.5-17.fc25
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-10 17:43:59 UTC


Attachments (Terms of Use)

Description w.chimiak 2016-03-11 18:55:59 UTC
Description of problem: sandbox -i [path]
not working?  What happens is the security context is incorrectly done.


Version-Release number of selected component (if applicable):
rpm -q -f /usr/bin/sandbox shows I am using
policycoreutils-python-utils-2.4-20.fc23.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1.% sandbox -i [path]
2.ls -Zd /tmp/.sandbox_home_[whatever]
gives
unconfined_u:object_r:sandbox_file_t:s0:cxx,cyyy .
3.BUT
%ls -Z [path] is
gives
unconfined_u:object_r:mozilla_home_t:s0 [path]

Actual results:
The imported path has the wrong security context
unconfined_u:object_r:mozilla_home_t:s0 [path]

Expected results:
unconfined_u:object_r:sandbox_file_t:s0:cxx,cyyy .

Additional info:

Comment 1 Michael De La Rue 2016-06-15 19:29:31 UTC
I can reproduce this, but only for files which are not in /tmp/.  Moving files into a temporary directory on /tmp makes things work.

What did you do:
cd
sandbox -X -i myfile2.doc xdg-open myfile2.doc

What happened:
xdg-open: no permission to read file '/home/mikedlr/myfile2.doc'

What did you expect to happen:
Sandbox should open the file 

Any other information:
$ ls -Z myfile2.doc 
unconfined_u:object_r:user_home_t:s0 myfile2.doc


The audit2why output looks like:

type=AVC msg=audit(1466013139.499:35191): avc:  denied  { read } for  pid=23595 comm="xdg-open" name=4A6F62204465736372697074696F6E202D204E65744F707320456E67696E6565722E646F6378 dev="tmpfs" ino=12073273 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c4,c1012 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.


My suspicion is that this is because the files are on a tmpfs and sandbox has very limited access to files on a tmpfs.  

I think the solution is either to widen the access or have the -i option automatically change the context of files as they are copied in and out of the temporary homedir.  

In any case, this makes a number of important uses of the sandbox not work.

Comment 2 Michael De La Rue 2016-06-16 10:01:55 UTC
BTW my reproduction of this bug is for 
policycoreutils-2.4-21.fc23.x86_64

$ rpm -qi policycoreutils
Name        : policycoreutils
Version     : 2.4
Release     : 21.fc23
Architecture: x86_64
Install Date: Fri 27 May 2016 23:12:30 BST

Comment 3 Michael De La Rue 2016-06-28 13:15:10 UTC
comment to this from the selinux mailing list (part of this mail https://marc.info/?l=selinux&m=146662101919943&w=2) 


  The files passed to -i should be copied into the temporary sandbox
  directory and inherit its context, not be labeled with the context of
  the original file.  Oddly, I see different behaviors here for F23 vs
  rawhide when using e.g. sandbox -M -i /path/to/file /bin/bash and then
  ls -Z /path/to/file.

I assume, based on that, there's a bug in Fedora 23 SELinux policy?  

This is also reported upstream at 

  https://github.com/SELinuxProject/selinux/issues/16

Comment 4 Fedora Update System 2016-10-05 20:29:41 UTC
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef

Comment 5 Fedora Update System 2016-10-06 20:59:12 UTC
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b7e8e980ef

Comment 6 Fedora Update System 2016-10-10 17:43:59 UTC
checkpolicy-2.5-8.fc25, libselinux-2.5-12.fc25, libsemanage-2.5-8.fc25, libsepol-2.5-10.fc25, policycoreutils-2.5-17.fc25, secilc-2.5-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.