Bug 952621 - sandbox and sandbox_net_t/sandbox_web_t types don't work
Summary: sandbox and sandbox_net_t/sandbox_web_t types don't work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-16 10:29 UTC by Miroslav Hostinsky
Modified: 2013-11-21 10:22 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:22:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Miroslav Hostinsky 2013-04-16 10:29:18 UTC
Description of problem:

I have issues to run sandboxed apps in sandbox_net_t (and sandbox_web_t).

When running under "Targetted" SELinux mode I get no output:

$ sandbox -t sandbox_net_t id -Z
$

When I set set "Permissive mode, I get:

$ sandbox -t sandbox_net_t id -Z
unconfined_u:unconfined_r:sandbox_net_t:s0:c71,c219
$

When running in Targetted mode with sandbox_t it works as expected:

$ sandbox -t sandbox_t id -Z
unconfined_u:unconfined_r:sandbox_t:s0:c312,c1013


Version-Release number of selected component (if applicable):

Latest RHEL 6.4 with all updates installed

How reproducible:

always reproducible

Steps to Reproduce:

$ sudo setenforce 1
$ sandbox -t sandbox_net_t id -Z
$ sudo setenforce 0
$ sandbox -t sandbox_net_t id -Z
unconfined_u:unconfined_r:sandbox_net_t:s0:c595,c720
  
Actual results:

When Enforcing enabled, running under sandbox_net_t does nothing.
When Permissive enabled, runs as expected.

Expected results:

App should run normally in sandbox_net_t when in Enforcing mode/

Additional info:

- I am not using X sandboxing. I want to sandbox console app with network capabilties.

- No SELinux AVC is generated when running id -Z

Comment 1 Milos Malik 2013-04-16 12:24:26 UTC
The same problem appears when running "sandbox -t sandbox_min_t id -Z". SELinux policy contains dontaudit rules which hide the AVCs. Here are the AVCs which appear after disabling dontaudit rules:
----
type=PATH msg=audit(04/16/2013 14:17:57.630:54) : item=1 name=(null) inode=1816 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(04/16/2013 14:17:57.630:54) : item=0 name=/usr/bin/id inode=136272 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(04/16/2013 14:17:57.630:54) :  cwd=/home/pas 
type=EXECVE msg=audit(04/16/2013 14:17:57.630:54) : argc=2 a0=/usr/bin/id a1=-Z 
type=SYSCALL msg=audit(04/16/2013 14:17:57.630:54) : arch=i386 syscall=execve success=yes exit=0 a0=953bfd0 a1=9540880 a2=bfb797b4 a3=2 items=2 ppid=1358 pid=1359 auid=pas uid=pas gid=pas euid=pas suid=pas fsuid=pas egid=pas sgid=pas fsgid=pas tty=(none) ses=2 comm=id exe=/usr/bin/id subj=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 key=(null) 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id path=/dev/tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id path=/dev/tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id path=/dev/tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
type=AVC msg=audit(04/16/2013 14:17:57.630:54) : avc:  denied  { read write } for  pid=1359 comm=id name=tty1 dev=devtmpfs ino=5128 scontext=unconfined_u:unconfined_r:sandbox_min_t:s0:c142,c627 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file 
----

Comment 2 Daniel Walsh 2013-04-16 20:37:19 UTC
I guess those are ok to add.

Just realize that those type are intended to be used with sandbox -X not regular sandbox.

sandbox_t is allowed to use all file descriptors leaked into it, while 
sandbox_x_t, sandbox_net_t ... Are used for sandboxing desktop apps.

5bf878c73e07a283ca5b28a4a8814aa73bae150a fixes this in git.

Comment 3 Miroslav Hostinsky 2013-04-16 20:49:20 UTC
Does this mean, that those types (sandbox_x_t, sandbox_net_t) will be supported also with console apps?

Sorry, I am unable to view that GIT commit to review it myself...

Comment 4 Daniel Walsh 2013-04-16 21:34:28 UTC
Well they should work with the terminal but they may or maynot have the access you intend.

For example

cat RANDOMPATH/topsecret | semanage -t sandbox_net_t FILTER > PATHTORANDOM/unclassified

Will probably not work.

But 
sandox -t sandbox_net_t nc www.redhat.com 80

Should work.

Comment 11 errata-xmlrpc 2013-11-21 10:22:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.