Hide Forgot
Each of the following command lines produces at least 1 AVC or USER_AVC when executed by an ordinary user on RHEL-6.0 machine. I would like to ask which of these AVCs are expected/desirable ? Some kind of matrix with expected results would be appreciated. * sandbox -M ksh * sandbox -M tcsh * sandbox -M zsh * sandbox -M ping 127.0.0.1 * sandbox -M ping6 ::1 * sandbox -M traceroute 127.0.0.1 * sandbox -M traceroute6 ::1 * sandbox -X xterm -e 'top -d1' * sandbox -X xterm -e 'ps ax' * sandbox -M dmesg * sandbox -M quota -ugv * sandbox -X xterm -e df * sandbox -X xterm -e mount * sandbox -X xterm -e w * sandbox -X xterm -e who * sandbox -X xterm -e seinfo * sandbox -X sealert * sandbox -X xterm -e 'udisks --dump' Version-Release number of selected component (if applicable): policycoreutils-2.0.83-19.7.el6_0.i686 policycoreutils-debuginfo-2.0.83-19.7.el6_0.i686 policycoreutils-gui-2.0.83-19.7.el6_0.i686 policycoreutils-newrole-2.0.83-19.7.el6_0.i686 policycoreutils-python-2.0.83-19.7.el6_0.i686 policycoreutils-sandbox-2.0.83-19.7.el6_0.i686 selinux-policy-3.7.19-54.el6_0.5.noarch selinux-policy-doc-3.7.19-54.el6_0.5.noarch selinux-policy-minimum-3.7.19-54.el6_0.5.noarch selinux-policy-mls-3.7.19-54.el6_0.5.noarch selinux-policy-targeted-3.7.19-54.el6_0.5.noarch
sandbox -M should not allow open to much of anything. The idea here is to allow stdin/stout and no opens. sandbox -X xterm should be a very confined app that should not be able to look at much of the running system. So commands like ps and top should blow up. sandbox -X should be more about running apps on the desktop.
Open if you believe any of these should be allowed in the default sandbox.
Or dontaudited