Blog clearing mentions that the sandbox "Can not Open or Create any files on the system " except the the shared libraries.
But current sandbox allow to read dir stuff which i think should not be allowed:
currently i can successfully ran:
"sandbox ls /usr"ls -Z for my /usr is:
drwxr-xr-x. root root system_u:object_r:usr_t:s0 usrNow
i used sesearch based policy analysis tool to find the allow rules and i
have listed few which i can understand and think should not be there:
[1]
allow sandbox_domain default_t : file { ioctl read write getattr lock append } ;
# sandbox_t is allow to read write to file having type as default_t,
but it doesnt allow to open it..so whats the significance of {read
write}
[2]
allow domain usr_t : dir { ioctl read getattr lock search open } Added my system details and here is the list of allowed rules "
https://docs.google.com/document/d/1fwNXcaKUuYthiK_qEYuaZHuTzAnCTlMnWF713RgblVk/edit?usp=sharing"
I have started with selinux about 1 week back so there might be problem with my thinking model.
Does the above stuff make sense from logical point of view and should fixed ?
Initially
i thought that i will just disallow what i dont want...but know i have
realised that selinux is denial by default model and we can only allow
stuff.
>>yum list installed | grep selinux
libselinux.x86_64 2.2.2-6.el7
libselinux-python.x86_64 2.2.2-6.el7
libselinux-utils.x86_64 2.2.2-6.el7
selinux-policy.noarch 3.12.1-153.el7_0.13
selinux-policy-devel.noarch 3.12.1-153.el7_0.13
selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13
selinux-policy-targeted.noarch 3.12.1-153.el7_0.13
>> yum list installed | grep sandbox
selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13
Thanks
Thanks