LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2019, 05:55 AM   #1
_alex_
LQ Newbie
 
Registered: Jul 2019
Distribution: CentOS - Debian
Posts: 4

Rep: Reputation: Disabled
SELinux sandbox problem with GUI app


Hello,

Newly registered to this forum although been using it for troubleshooting for quite some time.

I have an issue with the sandbox app from SELinux, when launching a command line app such as vim using command 'sandbox vim filename' vim launches in the command line, but when trying to launch a gui based app nothing launches.
I'm trying to launch firefox using command :
sandbox -X -H sandbox/ -T sandbox/tmp/ -t sandbox_web_t firefox

I'm on the latest version of CentOS 7.

Thanks in advance for your help.

Cheers,
Alex
 
Old 07-12-2019, 06:03 AM   #2
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS 6-7; SuSE 8-12
Posts: 599

Rep: Reputation: 174Reputation: 174
You should look at /var/log/audit/audit.log
And, if you do not have it installed; I recommend installing package "setroubleshoot-server", then use "sealert" command.
 
Old 07-12-2019, 08:04 AM   #3
_alex_
LQ Newbie
 
Registered: Jul 2019
Distribution: CentOS - Debian
Posts: 4

Original Poster
Rep: Reputation: Disabled
I installed the package you mentioned but when running it, it says there are no alerts

in the audit log file I found the following:

type=ANOM_ABEND msg=audit(1562935893.182:430): auid=1000 uid=1000 gid=1000 ses=1 subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c213,c232 pid=9879 comm="Xephyr" reason="memory violation" sig=6

found nothing much googling it :-/
 
Old 07-12-2019, 08:32 AM   #4
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS 6-7; SuSE 8-12
Posts: 599

Rep: Reputation: 174Reputation: 174
Quote:
Originally Posted by _alex_ View Post
I installed the package you mentioned but when running it, it says there are no alerts
Is your /var/log/audit/audit.log file empty? If not, how did you run sealert?
You should have:

Code:
sealert -a /var/log/audit/audit.log | less
 
1 members found this post helpful.
Old 07-12-2019, 02:04 PM   #5
_alex_
LQ Newbie
 
Registered: Jul 2019
Distribution: CentOS - Debian
Posts: 4

Original Poster
Rep: Reputation: Disabled
thanks dec901, you showed me the path to the solution

I do have entries in the audit log files, I was wrongly using sealert

running the command you provided, I followed the instructions proposed in the log to resolve the problem (create a policy module for Xephyr (nested X window in which firefox will be displayed) and activate it) :
Quote:
# ausearch -c 'Xephyr' --raw | audit2allow -M my-Xephyr
# semodule -i my-Xephyr.pp
I was able to launch firefox although you do feel functionalities are affected by the sandboxing

thanks again!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux Sandbox - Drag & Drop from External App Kimbundubobo Linux - Security 2 10-01-2014 02:41 AM
SELinux errors, SELinux and wine ziphem Linux - Security 10 01-27-2011 04:15 PM
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 04:27 AM
postfix and selinux [selinux updates broke postfix?] rjcroasdale Linux - Server 58 03-15-2010 02:26 AM
"../system.h :selinux/selinux.h:no such file or directory" ashmita04 Linux From Scratch 4 02-05-2009 03:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration