From patchwork Mon Sep 19 18:02:20 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <plautrba@redhat.com>
X-Patchwork-Id: 9340301
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	30340601C2 for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 19 Sep 2016 18:06:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 27756295A7
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 19 Sep 2016 18:06:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1BBF2295FF; Mon, 19 Sep 2016 18:06:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 618CE295A7
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 19 Sep 2016 18:06:27 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.30,362,1470700800"; d="scan'208";a="19364999"
IronPort-PHdr: =?us-ascii?q?9a23=3A2rKYkhVhWD+rzsUleAyfF/KQR7HV8LGtZVwlr6E/?=
	=?us-ascii?q?grcLSJyIuqrYZh2Ht8tkgFKBZ4jH8fUM07OQ6PG5Hzxcqs/Z6DhCKMUKDE5dz5?=
	=?us-ascii?q?1O3kQJO42sMQXDNvnkbig3ToxpdWRO2DWFC3VTA9v0fFbIo3e/vnY4ExT7Mhdp?=
	=?us-ascii?q?dKyuQtaBx/q+2+36wZDPeQIA3GP7OuIrakXq5lyJ7oFW2dIkcfdpjEOR4zNhQK?=
	=?us-ascii?q?d//StQP1WdnhLxtI+b3aVI1GBugc8n7NNKSq7gfq41HvRyBTUiNH0ptoWw7UGQ?=
	=?us-ascii?q?BTaV4jMgdkle0l8RW0mWpC39C6ztvzP6u+w14yyTOcn7XPhgQji5x7t6Qx/vzi?=
	=?us-ascii?q?EcPng293+B2eJqi6cOmB+9vVRbypPIeoucP/o2KrvZdM4GX2BIdtxcWyxIHsW3?=
	=?us-ascii?q?aI5ZXLlJBvpRs4So/whGlhC5HwT5Qbq3xw=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2HbBQDvJ+BX/wHyM5BdGwEBAQMBAQEJAQEBFwEBBAEBCgE?=
	=?us-ascii?q?Bgw8BAQEBAR5XfLo2OCINgW6DQBCCC0wBAQEBAQEBAQIBAlsngjIEAxMFBAE5O?=
	=?us-ascii?q?wEBAQEBAQEjAg0iPAEBAQECAQECNxQgCwMCAQkBAQoNAQoJFQgIAwELIhURBgg?=
	=?us-ascii?q?LBRgEiCEIDr4MAQEBAQYBAQEBAQEhhjeEVIQWEQGFeAWIK4dBigOGJoksgXhOh?=
	=?us-ascii?q?0AMhWKMZIN7VIJ/G4FScAWFXniBJwEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 19 Sep 2016 18:06:25 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8JI6C1R017274;
	Mon, 19 Sep 2016 14:06:14 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u8JI2Q9i034627 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 19 Sep 2016 14:02:26 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8JI2QiT017042;
	Mon, 19 Sep 2016 14:02:26 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DzAADMJuBXhxy3hNFdGgEBAQECAQEBAQgBAQEBgzoBAQEBAXV8uncmhS4QOgKBT0wBAgEBAQEBAhMBAQEIDQkJGYUQAQEBAQIBOj8FCwsOCgklD0gGiFUIDr4XAQEBAQEBBAEBAQEBIoY3hFSKIAWIK4dBigOGJoksgXhOh0yFYoxkg3uDUxEKgVI8NAWHfQEBAQ
X-IPAS-Result: 
 A1DzAADMJuBXhxy3hNFdGgEBAQECAQEBAQgBAQEBgzoBAQEBAXV8uncmhS4QOgKBT0wBAgEBAQEBAhMBAQEIDQkJGYUQAQEBAQIBOj8FCwsOCgklD0gGiFUIDr4XAQEBAQEBBAEBAQEBIoY3hFSKIAWIK4dBigOGJoksgXhOh0yFYoxkg3uDUxEKgVI8NAWHfQEBAQ
X-IronPort-AV: E=Sophos;i="5.30,362,1470715200"; d="scan'208";a="5714599"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 19 Sep 2016 14:02:25 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3A66InHhLW5phHX3Al+NmcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgUI/vxwZ3uMQTl6Ol3ixeRBMOAuqsC27ad6vi4ESxYuNDa4ShEKMQNHzY+yu?=
	=?us-ascii?q?wu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9?=
	=?us-ascii?q?GO35F8bogtit0KjqotuIMlwO1Gb2OOsqZFXu9EOK55FQ2dMjYo8KiTLx6kNSfO?=
	=?us-ascii?q?pXwW46bXmypD3bovmKwZh47i5LsOgg/cMTGY/zfqA/UKAKRG9+azN9zITRuBLC?=
	=?us-ascii?q?VQqC4GcHGiVTy0IQQluN0BavZYv8qiv3sKJG3SCeOcDnBeQvVS+K87ZgSBiujj?=
	=?us-ascii?q?wOcTE+7jeEpNZ3ifdjrQ677zh23pLOaoieNLIqZqfUYM8AT2NpRMtdVyVdRIi7?=
	=?us-ascii?q?at1cXKI6Ie9Eotyl9BM1phykCFzpXbu3xw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EyAQB3J+BXhxy3hNFdGgEBAQECAQEBA?=
	=?us-ascii?q?QgBAQEBFgEBAQMBAQEJAQEBgw8BAQEBAXV8ujZBJoFug0AQOgKBT0wBAQEBAQE?=
	=?us-ascii?q?BAQIBAhABAQEIDQkJGS+CMgQBFQEEBAE5OwEBAQEBAQEjAg0iPAEBAQECATo/B?=
	=?us-ascii?q?QsLDgoJJQ9IBohVCA6+DQEBAQEBAQQBAQEBAQEhhjeEVIogBYgrh0GKA4YmiSy?=
	=?us-ascii?q?BeE6HTIVijGSDe4NTEQqBUjw0BYY9gUABAQE?=
X-IPAS-Result: =?us-ascii?q?A0EyAQB3J+BXhxy3hNFdGgEBAQECAQEBAQgBAQEBFgEBAQM?=
	=?us-ascii?q?BAQEJAQEBgw8BAQEBAXV8ujZBJoFug0AQOgKBT0wBAQEBAQEBAQIBAhABAQEID?=
	=?us-ascii?q?QkJGS+CMgQBFQEEBAE5OwEBAQEBAQEjAg0iPAEBAQECATo/BQsLDgoJJQ9IBoh?=
	=?us-ascii?q?VCA6+DQEBAQEBAQQBAQEBAQEhhjeEVIogBYgrh0GKA4YmiSyBeE6HTIVijGSDe?=
	=?us-ascii?q?4NTEQqBUjw0BYY9gUABAQE?=
X-IronPort-AV: E=Sophos;i="5.30,362,1470700800"; d="scan'208";a="17732991"
Received: from mx1.redhat.com ([209.132.183.28])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	19 Sep 2016 18:02:24 +0000
Received: from int-mx13.intmail.prod.int.phx2.redhat.com
	(int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A28AC3D979;
	Mon, 19 Sep 2016 18:02:23 +0000 (UTC)
Received: from rhel-at-redhat.localdomain ([10.40.2.167])
	by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id u8JI2KB6021412
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO); Mon, 19 Sep 2016 14:02:22 -0400
Date: Mon, 19 Sep 2016 20:02:20 +0200
From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: sandox -X not working with recent Xephyr
Message-ID: <20160919180219.tbmq7yx66wkbk3if@rhel-at-redhat.localdomain>
References: <940febc8-d309-bab6-9797-11c07cf722fb@debian.org>
	<de735099-3871-b9b6-a4cc-8dc67b36e58e@tycho.nsa.gov>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <de735099-3871-b9b6-a4cc-8dc67b36e58e@tycho.nsa.gov>
User-Agent: NeoMutt/20160827 ()
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.30]); Mon, 19 Sep 2016 18:02:23 +0000 (UTC)
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: selinux@tycho.nsa.gov
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
> > Hi,
> > 
> > It seems that sandbox -X is not working anymore on debian.
> > 
> > Xephyr (1.18.4) is giving me the following error:
> > 
> > _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
> > created.
> > 
> > The X socket is not created inside the sandbox and then the application
> > can obviously not connect to it.
> > 
> > I'm not sure how this could be fixed, maybe let's seunshare create that
> > directory?
> 
> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
> they have a fix?
> 
> That is using the Fedora policycoreutils-sandbox package, which yields a
> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
> 
> However, if I install sandbox from upstream, e.g.
> 
> cd selinux
> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
> 
> then sandbox -X firefox fails immediately, and I have the following in
> the audit log:
> type=SELINUX_ERR msg=audit(1474295659.424:2189):
> op=security_bounded_transition seresult=denied
> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002

It's most likely not related. Same error can be seen in stock Fedora.

> So I guess there are other patches in the Fedora package that are needed?

It's this patch
https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d

But the patch bellow works too:




I'm not sure which one is correct.

Petr

--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
 </openbox_config>
 EOF
 
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
     export DISPLAY=:$D
     cat > ~/seremote << __EOF
 #!/bin/sh