From patchwork Mon Sep 19 18:02:20 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Lautrbach X-Patchwork-Id: 9340301 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 30340601C2 for ; Mon, 19 Sep 2016 18:06:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 27756295A7 for ; Mon, 19 Sep 2016 18:06:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1BBF2295FF; Mon, 19 Sep 2016 18:06:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 618CE295A7 for ; Mon, 19 Sep 2016 18:06:27 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.30,362,1470700800"; d="scan'208";a="19364999" IronPort-PHdr: =?us-ascii?q?9a23=3A2rKYkhVhWD+rzsUleAyfF/KQR7HV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZh2Ht8tkgFKBZ4jH8fUM07OQ6PG5Hzxcqs/Z6DhCKMUKDE5dz5?= =?us-ascii?q?1O3kQJO42sMQXDNvnkbig3ToxpdWRO2DWFC3VTA9v0fFbIo3e/vnY4ExT7Mhdp?= =?us-ascii?q?dKyuQtaBx/q+2+36wZDPeQIA3GP7OuIrakXq5lyJ7oFW2dIkcfdpjEOR4zNhQK?= =?us-ascii?q?d//StQP1WdnhLxtI+b3aVI1GBugc8n7NNKSq7gfq41HvRyBTUiNH0ptoWw7UGQ?= =?us-ascii?q?BTaV4jMgdkle0l8RW0mWpC39C6ztvzP6u+w14yyTOcn7XPhgQji5x7t6Qx/vzi?= =?us-ascii?q?EcPng293+B2eJqi6cOmB+9vVRbypPIeoucP/o2KrvZdM4GX2BIdtxcWyxIHsW3?= =?us-ascii?q?aI5ZXLlJBvpRs4So/whGlhC5HwT5Qbq3xw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HbBQDvJ+BX/wHyM5BdGwEBAQMBAQEJAQEBFwEBBAEBCgE?= =?us-ascii?q?Bgw8BAQEBAR5XfLo2OCINgW6DQBCCC0wBAQEBAQEBAQIBAlsngjIEAxMFBAE5O?= =?us-ascii?q?wEBAQEBAQEjAg0iPAEBAQECAQECNxQgCwMCAQkBAQoNAQoJFQgIAwELIhURBgg?= =?us-ascii?q?LBRgEiCEIDr4MAQEBAQYBAQEBAQEhhjeEVIQWEQGFeAWIK4dBigOGJoksgXhOh?= =?us-ascii?q?0AMhWKMZIN7VIJ/G4FScAWFXniBJwEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 19 Sep 2016 18:06:25 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8JI6C1R017274; Mon, 19 Sep 2016 14:06:14 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u8JI2Q9i034627 for ; Mon, 19 Sep 2016 14:02:26 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8JI2QiT017042; Mon, 19 Sep 2016 14:02:26 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DzAADMJuBXhxy3hNFdGgEBAQECAQEBAQgBAQEBgzoBAQEBAXV8uncmhS4QOgKBT0wBAgEBAQEBAhMBAQEIDQkJGYUQAQEBAQIBOj8FCwsOCgklD0gGiFUIDr4XAQEBAQEBBAEBAQEBIoY3hFSKIAWIK4dBigOGJoksgXhOh0yFYoxkg3uDUxEKgVI8NAWHfQEBAQ X-IPAS-Result: A1DzAADMJuBXhxy3hNFdGgEBAQECAQEBAQgBAQEBgzoBAQEBAXV8uncmhS4QOgKBT0wBAgEBAQEBAhMBAQEIDQkJGYUQAQEBAQIBOj8FCwsOCgklD0gGiFUIDr4XAQEBAQEBBAEBAQEBIoY3hFSKIAWIK4dBigOGJoksgXhOh0yFYoxkg3uDUxEKgVI8NAWHfQEBAQ X-IronPort-AV: E=Sophos;i="5.30,362,1470715200"; d="scan'208";a="5714599" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 19 Sep 2016 14:02:25 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A66InHhLW5phHX3Al+NmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgUI/vxwZ3uMQTl6Ol3ixeRBMOAuqsC27ad6vi4ESxYuNDa4ShEKMQNHzY+yu?= =?us-ascii?q?wu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9?= =?us-ascii?q?GO35F8bogtit0KjqotuIMlwO1Gb2OOsqZFXu9EOK55FQ2dMjYo8KiTLx6kNSfO?= =?us-ascii?q?pXwW46bXmypD3bovmKwZh47i5LsOgg/cMTGY/zfqA/UKAKRG9+azN9zITRuBLC?= =?us-ascii?q?VQqC4GcHGiVTy0IQQluN0BavZYv8qiv3sKJG3SCeOcDnBeQvVS+K87ZgSBiujj?= =?us-ascii?q?wOcTE+7jeEpNZ3ifdjrQ677zh23pLOaoieNLIqZqfUYM8AT2NpRMtdVyVdRIi7?= =?us-ascii?q?at1cXKI6Ie9Eotyl9BM1phykCFzpXbu3xw=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EyAQB3J+BXhxy3hNFdGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBFgEBAQMBAQEJAQEBgw8BAQEBAXV8ujZBJoFug0AQOgKBT0wBAQEBAQE?= =?us-ascii?q?BAQIBAhABAQEIDQkJGS+CMgQBFQEEBAE5OwEBAQEBAQEjAg0iPAEBAQECATo/B?= =?us-ascii?q?QsLDgoJJQ9IBohVCA6+DQEBAQEBAQQBAQEBAQEhhjeEVIogBYgrh0GKA4YmiSy?= =?us-ascii?q?BeE6HTIVijGSDe4NTEQqBUjw0BYY9gUABAQE?= X-IPAS-Result: =?us-ascii?q?A0EyAQB3J+BXhxy3hNFdGgEBAQECAQEBAQgBAQEBFgEBAQM?= =?us-ascii?q?BAQEJAQEBgw8BAQEBAXV8ujZBJoFug0AQOgKBT0wBAQEBAQEBAQIBAhABAQEID?= =?us-ascii?q?QkJGS+CMgQBFQEEBAE5OwEBAQEBAQEjAg0iPAEBAQECATo/BQsLDgoJJQ9IBoh?= =?us-ascii?q?VCA6+DQEBAQEBAQQBAQEBAQEhhjeEVIogBYgrh0GKA4YmiSyBeE6HTIVijGSDe?= =?us-ascii?q?4NTEQqBUjw0BYY9gUABAQE?= X-IronPort-AV: E=Sophos;i="5.30,362,1470700800"; d="scan'208";a="17732991" Received: from mx1.redhat.com ([209.132.183.28]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Sep 2016 18:02:24 +0000 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A28AC3D979; Mon, 19 Sep 2016 18:02:23 +0000 (UTC) Received: from rhel-at-redhat.localdomain ([10.40.2.167]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u8JI2KB6021412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 19 Sep 2016 14:02:22 -0400 Date: Mon, 19 Sep 2016 20:02:20 +0200 From: Petr Lautrbach To: Stephen Smalley Subject: Re: sandox -X not working with recent Xephyr Message-ID: <20160919180219.tbmq7yx66wkbk3if@rhel-at-redhat.localdomain> References: <940febc8-d309-bab6-9797-11c07cf722fb@debian.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20160827 () X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Mon, 19 Sep 2016 18:02:23 +0000 (UTC) X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: selinux@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote: > On 09/18/2016 02:39 PM, Laurent Bigonville wrote: > > Hi, > > > > It seems that sandbox -X is not working anymore on debian. > > > > Xephyr (1.18.4) is giving me the following error: > > > > _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be > > created. > > > > The X socket is not created inside the sandbox and then the application > > can obviously not connect to it. > > > > I'm not sure how this could be fixed, maybe let's seunshare create that > > directory? > > I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe > they have a fix? > > That is using the Fedora policycoreutils-sandbox package, which yields a > functioning sandbox -X, e.g. sandbox -X firefox works correctly. > > However, if I install sandbox from upstream, e.g. > > cd selinux > sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel > > then sandbox -X firefox fails immediately, and I have the following in > the audit log: > type=SELINUX_ERR msg=audit(1474295659.424:2189): > op=security_bounded_transition seresult=denied > oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002 > newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002 It's most likely not related. Same error can be seen in stock Fedora. > So I guess there are other patches in the Fedora package that are needed? It's this patch https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d But the patch bellow works too: I'm not sure which one is correct. Petr --- a/policycoreutils/sandbox/sandboxX.sh +++ b/policycoreutils/sandbox/sandboxX.sh @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF EOF -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do export DISPLAY=:$D cat > ~/seremote << __EOF #!/bin/sh