Re: redirect stdout and stderr to different file under sandboxing in linux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Try

semodule -e sandbox

We disable sandbox policy by default.


On 05/28/2015 01:48 PM, Bhuvan Gupta wrote:
Running following command gives the below AVC
>>>sandbox ./a.out 2>err 

SELinux is preventing /a.out from write access on the file .

*****  Plugin leaks (86.2 confidence) suggests   *****************************

If you want to ignore a.out trying to write access the  file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /a.out /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests   **************************

If you believe that a.out should be allowed write access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep a.out /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:sandbox_t:s0:c296,c597
Target Context                unconfined_u:object_r:etc_runtime_t:s0
Target Objects                 [ file ]
Source                        a.out
Source Path                   /a.out
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.10.0-121.el7.x86_64
                              #1 SMP Tue Apr 8 10:48:19 EDT 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2015-05-28 23:11:59 IST
Last Seen                     2015-05-28 23:11:59 IST
Local ID                      cd5a2639-5a52-4b0f-95e1-bf3d3c965dd4

Raw Audit Messages
type=AVC msg=audit(1432834919.99:391): avc:  denied  { write } for  pid=2626 comm="a.out" path="/err" dev="dm-0" ino=736779 scontext=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file


type=SYSCALL msg=audit(1432834919.99:391): arch=x86_64 syscall=execve success=yes exit=0 a0=330a3f0 a1=330eaa0 a2=7fff6a67fe50 a3=7fff6a67e840 items=0 ppid=2625 pid=2626 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=a.out exe=/a.out subj=unconfined_u:unconfined_r:sandbox_t:s0:c296,c597 key=(null)

Hash: a.out,sandbox_t,etc_runtime_t,file,write


Thanks
Bhuvan


On Thu, May 28, 2015 at 3:53 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
What AVC's are you seeing?

audit2allow -la


On 05/23/2015 07:19 AM, Bhuvan Gupta wrote:
MORE INFO

content of Test.cpp
#include<stdio>
 int main(void) {
  fprintf(stderr,"error/n");
  return 0;
 }

compile it and now
./a.out 
print error to console

./a.out 2> err
print to err file

sandbox ./a.out 2>err
nothing gets printed on console or in err file.
Is sandbox is eating it up ?

Thanks
Bhuvan




On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta <bhuvangu@xxxxxxxxx> wrote:
EXTRA INFO:

even if i run 
sandbox ./a.out

Even then it doesnt print floating point error on console

On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta <bhuvangu@xxxxxxxxx> wrote:
Hello All,

I have an Test.cpp which is run under sandbox(RHEL7):

Test.cpp content:
#include<stdio>
 int main(void) {
  int a = 1/0;
  return 0;
 }

compile it using gcc(4.8) Test.cpp which produces the a.out
Now running a.out prints floating pointing exception on console

Now i thought that if i redirect stderr to a file, i expect the error to be printed in file.
But that is not the case it still continue to print in console.
Googling reveal that under such exception the program is terminated immediately and if you capture the stderr of bash then it should redirect.
So i run
su -c ./a.out 2>err 
Bingo error get printed in err file.

Now the MAIN GAME STARTS
i want to run it under sandbox 
so i run:
su -c 'sandbox ./a.out 1>out 2>err'
But there is nothing printed in err file or in console.

How to capture stdout and stderr under such situation ?


Thanks
Bhuvan




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux