Hide Forgot
Description of problem: sandbox allows applications to open files such as /etc/password and files in /opt and possibly elsewhere. /home, /tmp, /var are still correctly locked down. Perhaps this was an intentional policy change, but the man page for sandbox still says that the default sandbox domain does not allow applications to open files except stdin, stdout, and fd's passed to it. Version-Release number of selected component (if applicable): selinux-policy-3.9.16-32.fc15.noarch policycoreutils-2.0.86-7.fc15.i686 How reproducible: Always. Steps to Reproduce: 1. Install Fedora 15 with policycoreutils 2. sandbox wc /etc/passwd 3. Actual results: $ sandbox wc /etc/passwd 36 51 1722 /etc/passwd Expected results: Expected to get an avc denial on the attempt to open /etc/passwd. Additional info: $ uname -a Linux vertex.home 2.6.38.8-35.fc15.i686 #1 SMP Wed Jul 6 14:46:26 UTC 2011 i686 i686 i386 GNU/Linux $ rpm -qa | grep policy selinux-policy-targeted-3.9.16-32.fc15.noarch selinux-policy-3.9.16-32.fc15.noarch policycoreutils-2.0.86-7.fc15.i686 policycoreutils-sandbox-2.0.86-7.fc15.i686 polkit-desktop-policy-0.101-6.fc15.noarch policycoreutils-gui-2.0.86-7.fc15.i686 checkpolicy-2.0.23-3.fc15.i686 policycoreutils-python-2.0.86-7.fc15.i686 $ sandbox id -Z unconfined_u:unconfined_r:sandbox_t:s0:c80,c525 $ sandbox touch test /bin/touch: cannot touch `test': Permission denied
Well actually it is a little looser than that, the man page should state that it allows the open of files/executables that are installed on the system, but does not allow write to these objects. sesearch -A -s sandbox_t -p open -c file Found 18 semantic av rules: allow domain abrt_var_run_t : file { ioctl read getattr lock open } ; allow sandbox_domain usr_t : file { ioctl read getattr lock open } ; allow sandbox_domain var_t : file { ioctl read getattr lock open } ; allow sandbox_domain locale_t : file { ioctl read getattr lock open } ; allow sandbox_t sandbox_t : file { ioctl read write getattr lock append open } ; allow domain sysctl_crypto_t : file { ioctl read getattr lock open } ; allow domain abrt_t : file { ioctl read getattr lock open } ; allow domain lib_t : file { ioctl read getattr lock execute open } ; allow sandbox_domain sandbox_file_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ; allow domain abrt_helper_exec_t : file { read getattr execute open } ; allow domain ld_so_t : file { ioctl read getattr execute open } ; allow sandbox_domain configfile : file { ioctl read getattr lock open } ; allow domain textrel_shlib_t : file { ioctl read getattr execute execmod open } ; allow domain rpm_script_tmp_t : file { ioctl read getattr lock open } ; allow domain sosreport_tmp_t : file { ioctl getattr lock append open } ; allow domain rpm_tmp_t : file { ioctl getattr lock append open } ; allow sandbox_domain exec_type : file { ioctl read getattr lock execute execute_no_trans open } ; allow domain ld_so_cache_t : file { ioctl read getattr lock open } ; These are the types that sandbox_t is allowed to open. Mainly executables shared libraries and config files, If you look at what files it is allowed to write and open. It gets much smaller. # sesearch -A -s sandbox_t -p open -c file | grep write allow sandbox_t sandbox_t : file { ioctl read write getattr lock append open } ; allow sandbox_domain sandbox_file_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ; sandbox_t is the label of its processes under /proc
Since this version of Fedora is no longer supported I am closing this bugs. If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.