Re: Fwd: Is it possible to run chromium in a SELinux sandbox?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/24/2011 02:07 PM, GSO wrote:
> 
> On 24 June 2011 13:56, Daniel J Walsh <dwalsh@xxxxxxxxxx
> <mailto:dwalsh@xxxxxxxxxx>> wrote:
> 
>     ....
>     Well I know Chrome does not run under the sandbox.  On firefox5 try to
>     turn off dontaudit rules and see if it generates any AVC messages
> 
>     # semodule -DB
>     > sandbox -X -t sandbox_web_t -W metacity firefox5
>     # ausearch -m avc -ts recent
>     # semodule -B
> 
> ----
> time->Fri Jun 24 19:03:01 2011
> type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11 success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0 ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1308938581.872:1712): avc:  denied  { noatsecure } for  pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1308938581.872:1712): avc:  denied  { siginh } for  pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1308938581.872:1712): avc:  denied  { rlimitinh } for  pid=11827 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
> ----
> time->Fri Jun 24 19:04:59 2011
> type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11 success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0 ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr" exe="/usr/bin/Xephyr" subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938699.627:1714): avc:  denied  { noatsecure } for  pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938699.627:1714): avc:  denied  { siginh } for  pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938699.627:1714): avc:  denied  { rlimitinh } for  pid=11839 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934 tclass=process
> ----
> time->Fri Jun 24 19:05:00 2011
> type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11 success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0 ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938700.103:1715): avc:  denied  { noatsecure } for  pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938700.103:1715): avc:  denied  { siginh } for  pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
> type=AVC msg=audit(1308938700.103:1715): avc:  denied  { rlimitinh } for  pid=11846 comm="start" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tclass=process
> ----
> time->Fri Jun 24 19:04:59 2011
> type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11 success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0 ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="sandboxX.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938699.592:1713): avc:  denied  { read write } for  pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
> type=AVC msg=audit(1308938699.592:1713): avc:  denied  { read write } for  pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
> type=AVC msg=audit(1308938699.592:1713): avc:  denied  { read write } for  pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
> ----
> time->Fri Jun 24 19:05:00 2011
> type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5 success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853 pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938700.685:1716): avc:  denied  { read } for  pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> ----
> time->Fri Jun 24 19:05:00 2011
> type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11 success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8 items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 key=(null)
> type=AVC msg=audit(1308938700.693:1717): avc:  denied  { execute } for  pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
> 
> 
chcon -t bin_t firefox

Is what it is complaining about.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4E8KAACgkQrlYvE4MpobMoEwCgyliISRZ00ojoJwkWR/k2KdDa
Q+wAnR3qFAhPHOlNC1g2nrymTR2Ba7WC
=l9aW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux