On 24 June 2011 13:56, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
....
Well I know Chrome does not run under the sandbox. On firefox5 try to
turn off dontaudit rules and see if it generates any AVC messages
# semodule -DB
> sandbox -X -t sandbox_web_t -W metacity firefox5
# ausearch -m avc -ts recent
# semodule -B
----
time->Fri Jun 24 19:03:01 2011
type=SYSCALL msg=audit(1308938581.872:1712): arch=40000003 syscall=11
success=yes exit=0 a0=22070780 a1=2e918708 a2=0 a3=0 items=0
ppid=11813 pid=11827 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1308938581.872:1712): avc: denied { noatsecure }
for pid=11827 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { siginh } for
pid=11827 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tclass=process
type=AVC msg=audit(1308938581.872:1712): avc: denied { rlimitinh }
for pid=11827 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.627:1714): arch=40000003 syscall=11
success=yes exit=0 a0=8b92188 a1=8b921a0 a2=8b93ba8 a3=8b921a0 items=0
ppid=11832 pid=11839 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Xephyr"
exe="/usr/bin/Xephyr"
subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938699.627:1714): avc: denied { noatsecure }
for pid=11839 comm="Xephyr"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { siginh } for
pid=11839 comm="Xephyr"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938699.627:1714): avc: denied { rlimitinh }
for pid=11839 comm="Xephyr"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c396,c934
tclass=process
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.103:1715): arch=40000003 syscall=11
success=yes exit=0 a0=8b93ef0 a1=8b92d90 a2=8b93db0 a3=8b92d90 items=0
ppid=11840 pid=11846 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="start"
exe="/usr/bin/python"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938700.103:1715): avc: denied { noatsecure }
for pid=11846 comm="start"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { siginh } for
pid=11846 comm="start"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tclass=process
type=AVC msg=audit(1308938700.103:1715): avc: denied { rlimitinh }
for pid=11846 comm="start"
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tclass=process
----
time->Fri Jun 24 19:04:59 2011
type=SYSCALL msg=audit(1308938699.592:1713): arch=40000003 syscall=11
success=yes exit=0 a0=bf99f5ed a1=bf99e7f4 a2=20a04f28 a3=0 items=0
ppid=11831 pid=11832 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="sandboxX.sh" exe="/bin/bash"
subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934 key=(null)
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write }
for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write }
for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1308938699.592:1713): avc: denied { read write }
for pid=11832 comm="sandboxX.sh" path="/dev/pts/0" dev=devpts ino=3
scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c396,c934
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.685:1716): arch=40000003 syscall=5
success=no exit=-13 a0=71c252 a1=8000 a2=1b6 a3=0 items=0 ppid=11853
pid=11854 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon"
exe="/bin/dbus-daemon"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938700.685:1716): avc: denied { read } for
pid=11854 comm="dbus-daemon" name="config" dev=dm-2 ino=32330
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Fri Jun 24 19:05:00 2011
type=SYSCALL msg=audit(1308938700.693:1717): arch=40000003 syscall=11
success=no exit=-13 a0=bfde9f06 a1=8e2c058 a2=8e37ad8 a3=8e37ad8
items=0 ppid=11848 pid=11852 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="dbus-launch" exe="/usr/bin/dbus-launch"
subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
key=(null)
type=AVC msg=audit(1308938700.693:1717): avc: denied { execute } for
pid=11852 comm="dbus-launch" name="firefox" dev=dm-2 ino=263286
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c396,c934
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file