Hello everyone,
F14 (updated to latest) here. It has been a while since I last tried the sandbox feature. I now went and installed the necessary packages and tried:
sandbox -X -t sandbox_web_t firefox
but it quits right away. A message on syslog from the kernel facility shows:
------------------------------------------ avc: denied { execute_no_trans } for pid=4026 comm="xulrunner2" path="/usr/lib/xulrunner-2/xulrunner" dev=sda1 ino=393246 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c538,c991 tcontext=system_u:object_r:lib_t:s0 tclass=file -------------------------------------------
I didn't get any alert from the SEtroubleshooter...
Should I report a bug?
This is what I'm running:
selinux-policy-targeted-3.9.7-40.fc14.noarch selinux-policy-3.9.7-40.fc14.noarch policycoreutils-sandbox-2.0.85-28.fc14.i686
Regards, Jorge
Thanks, Jorge
On 06/01/2011 08:22 PM, Jorge Fábregas wrote:
sandbox -X -t sandbox_web_t firefox
but it quits right away. A message on syslog from the kernel facility shows:
Ok, now that I got the SELinux Alert Browser, here's the info:
SELinux is preventing /bin/bash from execute_no_trans access on the file /usr/lib/xulrunner-2/xulrunner.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed execute_no_trans access on the xulrunner file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xulrunner2 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:sandbox_web_client_t:s0: c384,c590 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/xulrunner-2/xulrunner [ file ] Source xulrunner2 Source Path /bin/bash Port <Unknown> Host biodora.local Source RPM Packages bash-4.1.7-3.fc14 Target RPM Packages xulrunner2-2.0.1-1.fc14.remi Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name biodora.local Platform Linux biodora.local 2.6.35.13-91.fc14.i686 #1 SMP Tue May 3 13:36:36 UTC 2011 i686 i686 Alert Count 1 First Seen Wed 01 Jun 2011 08:25:41 PM AST Last Seen Wed 01 Jun 2011 08:25:41 PM AST Local ID 37b97c4a-44be-4931-a343-7f656f2ad5f1
Raw Audit Messages type=AVC msg=audit(1306974341.382:23913): avc: denied { execute_no_trans } for pid=4201 comm="xulrunner2" path="/usr/lib/xulrunner-2/xulrunner" dev=sda1 ino=393246 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c384,c590 tcontext=system_u:object_r:lib_t:s0 tclass=file
I guess I'm out of warranty here :>) I forgot I wasn't running the stock Firefox. I'm running the one from the REMI repo (along with xulrunner) in order to run the latest Firefox. I'll create the local policy then and would not submit any bug as I think this doesn't happen with the regular packages.
Cheers, Jorge
On Wed, 2011-06-01 at 20:36 -0400, Jorge Fábregas wrote:
Raw Audit Messages type=AVC msg=audit(1306974341.382:23913): avc: denied { execute_no_trans } for pid=4201 comm="xulrunner2" path="/usr/lib/xulrunner-2/xulrunner" dev=sda1 ino=393246 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c384,c590 tcontext=system_u:object_r:lib_t:s0 tclass=file
I guess I'm out of warranty here :>) I forgot I wasn't running the stock Firefox. I'm running the one from the REMI repo (along with xulrunner) in order to run the latest Firefox. I'll create the local policy then and would not submit any bug as I think this doesn't happen with the regular
See if this fixes it:
chcon -t bin_t /usr/lib/xulrunner-2/xulrunner
Cheers, Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 06/02/2011 07:33 AM, Dominick Grift wrote:
On Wed, 2011-06-01 at 20:36 -0400, Jorge Fábregas wrote:
Raw Audit Messages type=AVC msg=audit(1306974341.382:23913): avc: denied { execute_no_trans } for pid=4201 comm="xulrunner2" path="/usr/lib/xulrunner-2/xulrunner" dev=sda1 ino=393246 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c384,c590 tcontext=system_u:object_r:lib_t:s0 tclass=file
I guess I'm out of warranty here :>) I forgot I wasn't running the stock Firefox. I'm running the one from the REMI repo (along with xulrunner) in order to run the latest Firefox. I'll create the local policy then and would not submit any bug as I think this doesn't happen with the regular
See if this fixes it:
chcon -t bin_t /usr/lib/xulrunner-2/xulrunner
Yes, it should work.
Cheers, Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 06/02/2011 08:40 AM, Miroslav Grepl wrote:
See if this fixes it:
chcon -t bin_t /usr/lib/xulrunner-2/xulrunner
Hi Dominick,
That didn't work right away but I noticed there's also a xulrunner-bin in there. I chconed it also bin_t and now it works. Of course I removed my custom policy first (the one suggested by the SEtroubleshooter) in order to try this out.
I also tried restoring lib_t to xulrunner (whic is simply a shell script) and left bin_t just for the binary "xulrunner-bin" but it didn't work. It wants both xulrunner and xulrunner-bin as bin_t.
Anyway that's much better than allowing the execute_no_trans on lib_t for sandbox_web_t I had.
Thank you! Jorge
On 06/02/2011 10:50 AM, Jorge Fábregas wrote:
On 06/02/2011 08:40 AM, Miroslav Grepl wrote:
See if this fixes it:
chcon -t bin_t /usr/lib/xulrunner-2/xulrunner
Hi Dominick,
That didn't work right away but I noticed there's also a xulrunner-bin in there. I chconed it also bin_t and now it works. Of course I removed my custom policy first (the one suggested by the SEtroubleshooter) in order to try this out.
I also tried restoring lib_t to xulrunner (whic is simply a shell script) and left bin_t just for the binary "xulrunner-bin" but it didn't work. It wants both xulrunner and xulrunner-bin as bin_t.
Anyway that's much better than allowing the execute_no_trans on lib_t for sandbox_web_t I had.
Thank you! Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Jorge, could you open a new bug? I need to fix a label for xulrunner*
Thank you.
selinux@lists.fedoraproject.org