Running following command gives the below AVC
>>>sandbox ./a.out 2>err
SELinux is preventing /a.out from write access on the file .
***** Plugin leaks (86.2 confidence) suggests *****************************
If you want to ignore a.out trying to write access the file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /a.out /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (14.7 confidence) suggests **************************
If you believe that a.out should be allowed write access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep a.out /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
Target Context unconfined_u:object_r:etc_runtime_t:s0
Target Objects [ file ]
Source a.out
Source Path /a.out
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.10.0-121.el7.x86_64
#1 SMP Tue Apr 8 10:48:19 EDT 2014 x86_64 x86_64
Alert Count 1
First Seen 2015-05-28 23:11:59 IST
Last Seen 2015-05-28 23:11:59 IST
Local ID cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4
Raw Audit Messages
type=AVC msg=audit(1432834919.99:391): avc: denied { write } for pid=2626 comm="a.out" path="/err" dev="dm-0" ino=736779 scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64 syscall=execve success=yes exit=0 a0=330a3f0 a1=330eaa0 a2=7fff6a67fe50 a3=7fff6a67e840 items=0 ppid=2625 pid=2626 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=a.out exe=/a.out subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597 key=(null)
Hash: a.out,sandbox_t,etc_runtime_t,file,write
Thanks
Bhuvan
On Thu, May 28, 2015 at 3:53 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
What AVC's are you seeing?
audit2allow -la
On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:
MORE INFO
content of Test.cpp#include<stdio>int main(void) {fprintf(stderr,"error/n");return 0;}
compile it and now./a.outprint error to console
./a.out 2> errprint to err file
sandbox ./a.out 2>errnothing gets printed on console or in err file.Is sandbox is eating it up ?
ThanksBhuvan
On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta <bhuvangu@xxxxxxxxx> wrote:
EXTRA INFO:
even if i runsandbox ./a.out
Even then it doesnt print floating point error on console
On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta <bhuvangu@xxxxxxxxx> wrote:
Hello All,
I have an Test.cpp which is run under sandbox(RHEL7):
Test.cpp content:#include<stdio>int main(void) {int a = 1/0;return 0;}
compile it using gcc(4.8) Test.cpp which produces the a.outNow running a.out prints floating pointing exception on console
Now i thought that if i redirect stderr to a file, i expect the error to be printed in file.But that is not the case it still continue to print in console.Googling reveal that under such exception the program is terminated immediately and if you capture the stderr of bash then it should redirect.So i runsu -c ./a.out 2>errBingo error get printed in err file.
Now the MAIN GAME STARTSi want to run it under sandboxso i run:su -c 'sandbox ./a.out 1>out 2>err'But there is nothing printed in err file or in console.
How to capture stdout and stderr under such situation ?
ThanksBhuvan
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
