sandox -X not working with recent Xephyr

Commit Message

Petr Lautrbach Sept. 20, 2016, 9:56 p.m. UTC

On 09/20/2016 02:49 PM, Stephen Smalley wrote:
> On 09/19/2016 02:26 PM, Stephen Smalley wrote:
>> On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
>>> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
>>>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
>>>>> Hi,
>>>>>
>>>>> It seems that sandbox -X is not working anymore on debian.
>>>>>
>>>>> Xephyr (1.18.4) is giving me the following error:
>>>>>
>>>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
>>>>> created.
>>>>>
>>>>> The X socket is not created inside the sandbox and then the application
>>>>> can obviously not connect to it.
>>>>>
>>>>> I'm not sure how this could be fixed, maybe let's seunshare create that
>>>>> directory?
>>>>
>>>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
>>>> they have a fix?
>>>>
>>>> That is using the Fedora policycoreutils-sandbox package, which yields a
>>>> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>>>>
>>>> However, if I install sandbox from upstream, e.g.
>>>>
>>>> cd selinux
>>>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>>>>
>>>> then sandbox -X firefox fails immediately, and I have the following in
>>>> the audit log:
>>>> type=SELINUX_ERR msg=audit(1474295659.424:2189):
>>>> op=security_bounded_transition seresult=denied
>>>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
>>>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
>>>
>>> It's most likely not related. Same error can be seen in stock Fedora.
>>>
>>>> So I guess there are other patches in the Fedora package that are needed?
>>>
>>> It's this patch
>>> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
>>>
>>> But the patch bellow works too:
>>>
>>> --- a/policycoreutils/sandbox/sandboxX.sh
>>> +++ b/policycoreutils/sandbox/sandboxX.sh
>>> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
>>>  </openbox_config>
>>>  EOF
>>>  
>>> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>>> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>>>      export DISPLAY=:$D
>>>      cat > ~/seremote << __EOF
>>>  #!/bin/sh
>>>
>>>
>>>
>>> I'm not sure which one is correct.
>>
>> I don't know either, but the one above does work and seems simpler, so
>> let's go with that one.
> 
> So, if you could re-spin that with a proper subject and signed-off-by,
> that would be great.
> 
> 

I'll send the patch tomorrow.

In the mean time I try to find out what and I why.

It's the xmodmap command at the beginning of ~/.sandboxrc which doesn't
work and probably resets the server which terminates itself then.

With the following hack I'm able to run Xephyr with -terminate and with
working xmodmap:


Petr

Patch

--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -282,8 +282,9 @@  class Sandbox:
                 command += "'%s' " % p
             fd.write("""#! /bin/sh
 #TITLE: %s
-/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
 %s &
+sleep 1
+/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
 WM_PID=$!
 dbus-launch --exit-with-session %s