From patchwork Tue Sep 20 21:56:50 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <plautrba@redhat.com>
X-Patchwork-Id: 9342539
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	44122607EE for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 20 Sep 2016 22:00:33 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 34A11295CF
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 20 Sep 2016 22:00:33 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2795B297E1; Tue, 20 Sep 2016 22:00:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 42382295CF
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 20 Sep 2016 22:00:31 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.30,370,1470700800";
	d="asc'?scan'208";a="19412829"
IronPort-PHdr: =?us-ascii?q?9a23=3ACgHGAxb9b1hYzV7wbUDjZe//LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpcq8bnLW6fgltlLVR4KTs6sC0LuM9fi4EjVavd6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JXtkbjqsMSJP01hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FhFf0LRAghZlsp6dXruB+L?=
	=?us-ascii?q?dg6G4n8RQy1CiRZTKxTU5xH9GJHqu231sfQriweAOsijdb0oQ3yG5rp3UhXhgy?=
	=?us-ascii?q?dPYyY9+XzLkMZ5pLhWrBKou1p0xIuCM9LdD+Z3Yq6IJYBSfmFGRMsEEnUZDw?=
	=?us-ascii?q?=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2EwCwBIsOFX/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgxA?=
	=?us-ascii?q?BAQEBAR5XKlK6ODoCHg2BboNAEDUDgWZMAQEBAQEBAQECAQJbJ4IyBAMTBQQBO?=
	=?us-ascii?q?TsBAQEBAQEBIwINIj0BAQQBAiArIAsDAwkBAQoNAQomBAICAwEtDAkRBggFBgI?=
	=?us-ascii?q?BAQEYBIgpDrA5jFcBAQEBBgEBAQEBARMOhjeBfIJYhBYRAQaDGIJaAQSIK4dBi?=
	=?us-ascii?q?gWDQIF2cIk4gW5Oh0AMhWOMZIN7VIMYG4FScAWFRHiBJwEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 20 Sep 2016 22:00:29 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8KLvk7o021656;
	Tue, 20 Sep 2016 17:57:56 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u8KLvkVL069210 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 20 Sep 2016 17:57:46 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8KLvjTW021646;
	Tue, 20 Sep 2016 17:57:45 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CcAQCDsOFXhxy3hNFdGwEBAQMBAQEJAQEBgzsBAQEBAXUqUrp5JoUuEDoCgWJMAQIBAQEBAQITAQEBCgsJCRmFEQEBAQMjVhALDgoqAgI9GgYNCAEBiEYOsDeMVwEBAQEBAQQBAQEBARQOhjeBfIJYhC6DGIJaBYgrh0GKBYNAgXZwiTiBbk6HTIVjjGSDe4NsEQqBUjw0BYdjAQEB
X-IPAS-Result: 
 A1CcAQCDsOFXhxy3hNFdGwEBAQMBAQEJAQEBgzsBAQEBAXUqUrp5JoUuEDoCgWJMAQIBAQEBAQITAQEBCgsJCRmFEQEBAQMjVhALDgoqAgI9GgYNCAEBiEYOsDeMVwEBAQEBAQQBAQEBARQOhjeBfIJYhC6DGIJaBYgrh0GKBYNAgXZwiTiBbk6HTIVjjGSDe4NsEQqBUjw0BYdjAQEB
X-IronPort-AV: E=Sophos; i="5.30,370,1470715200"; d="asc'?scan'208";
	a="5717680"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 20 Sep 2016 17:57:10 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AdtY9lhZzi8IGE/XGqVwXrsX/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpcu5bnLW6fgltlLVR4KTs6sC0LuM9fi4EjVavd6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JXtkbjqsMSJP01hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFmrPHs4CLf?=
	=?us-ascii?q?QBOP631UaWAflh5FEkCR9x3hdovguSv98Oxm0W+VOtOgHp4uXjH316p3UlfMgT?=
	=?us-ascii?q?obLTQw+2Gf3tR0hb9HuhiojwZyz47dfMeeM/8oLfCVRs8TWWcUBpUZbCdGGI7p?=
	=?us-ascii?q?KtJXV+c=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0F9AQBIsOFXhxy3hNFdGwEBAQMBAQEJA?=
	=?us-ascii?q?QEBFwEBBAEBCgEBgxABAQEBAXUqUro4QSaBboNAEDoCgWJMAQEBAQEBAQECAQI?=
	=?us-ascii?q?QAQEBCgsJCRkvgjIEARUBBAQBOTsBAQEBAQEBIwINIj0BAQEDI1YQCw4KKgICP?=
	=?us-ascii?q?RoGDQgBAYhGDrA5jFcBAQEBAQEEAQEBAQEBARIOhjeBfIJYhC6DGIJaBYgrh0G?=
	=?us-ascii?q?KBYNAgXZwiTiBbk6HTIVjjGSDe4NsEQqBUjw0BYYjgUABAQE?=
X-IPAS-Result: =?us-ascii?q?A0F9AQBIsOFXhxy3hNFdGwEBAQMBAQEJAQEBFwEBBAEBCgE?=
	=?us-ascii?q?BgxABAQEBAXUqUro4QSaBboNAEDoCgWJMAQEBAQEBAQECAQIQAQEBCgsJCRkvg?=
	=?us-ascii?q?jIEARUBBAQBOTsBAQEBAQEBIwINIj0BAQEDI1YQCw4KKgICPRoGDQgBAYhGDrA?=
	=?us-ascii?q?5jFcBAQEBAQEEAQEBAQEBARIOhjeBfIJYhC6DGIJaBYgrh0GKBYNAgXZwiTiBb?=
	=?us-ascii?q?k6HTIVjjGSDe4NsEQqBUjw0BYYjgUABAQE?=
X-IronPort-AV: E=Sophos;i="5.30,370,1470700800";
	d="asc'?scan'208";a="19412771"
Received: from mx1.redhat.com ([209.132.183.28])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	20 Sep 2016 21:56:59 +0000
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 0D0C31556C;
	Tue, 20 Sep 2016 21:56:59 +0000 (UTC)
Received: from hulk.lan (ovpn-204-41.brq.redhat.com [10.40.204.41])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id u8KLuuFB028787
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 20 Sep 2016 17:56:57 -0400
Subject: Re: sandox -X not working with recent Xephyr
To: Stephen Smalley <sds@tycho.nsa.gov>
References: <940febc8-d309-bab6-9797-11c07cf722fb@debian.org>
	<de735099-3871-b9b6-a4cc-8dc67b36e58e@tycho.nsa.gov>
	<20160919180219.tbmq7yx66wkbk3if@rhel-at-redhat.localdomain>
	<c8e7f2ad-72eb-2175-5916-e5054e431e48@tycho.nsa.gov>
	<45d0fdf5-48ad-242c-fa77-314bdf052bb7@tycho.nsa.gov>
From: Petr Lautrbach <plautrba@redhat.com>
Message-ID: <43c73baa-fc08-7c50-09cf-e03e12408853@redhat.com>
Date: Tue, 20 Sep 2016 23:56:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <45d0fdf5-48ad-242c-fa77-314bdf052bb7@tycho.nsa.gov>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.29]); Tue, 20 Sep 2016 21:56:59 +0000 (UTC)
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: selinux@tycho.nsa.gov
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

On 09/20/2016 02:49 PM, Stephen Smalley wrote:
> On 09/19/2016 02:26 PM, Stephen Smalley wrote:
>> On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
>>> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
>>>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
>>>>> Hi,
>>>>>
>>>>> It seems that sandbox -X is not working anymore on debian.
>>>>>
>>>>> Xephyr (1.18.4) is giving me the following error:
>>>>>
>>>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
>>>>> created.
>>>>>
>>>>> The X socket is not created inside the sandbox and then the application
>>>>> can obviously not connect to it.
>>>>>
>>>>> I'm not sure how this could be fixed, maybe let's seunshare create that
>>>>> directory?
>>>>
>>>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
>>>> they have a fix?
>>>>
>>>> That is using the Fedora policycoreutils-sandbox package, which yields a
>>>> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>>>>
>>>> However, if I install sandbox from upstream, e.g.
>>>>
>>>> cd selinux
>>>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>>>>
>>>> then sandbox -X firefox fails immediately, and I have the following in
>>>> the audit log:
>>>> type=SELINUX_ERR msg=audit(1474295659.424:2189):
>>>> op=security_bounded_transition seresult=denied
>>>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
>>>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
>>>
>>> It's most likely not related. Same error can be seen in stock Fedora.
>>>
>>>> So I guess there are other patches in the Fedora package that are needed?
>>>
>>> It's this patch
>>> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
>>>
>>> But the patch bellow works too:
>>>
>>> --- a/policycoreutils/sandbox/sandboxX.sh
>>> +++ b/policycoreutils/sandbox/sandboxX.sh
>>> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
>>>  </openbox_config>
>>>  EOF
>>>  
>>> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>>> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>>>      export DISPLAY=:$D
>>>      cat > ~/seremote << __EOF
>>>  #!/bin/sh
>>>
>>>
>>>
>>> I'm not sure which one is correct.
>>
>> I don't know either, but the one above does work and seems simpler, so
>> let's go with that one.
> 
> So, if you could re-spin that with a proper subject and signed-off-by,
> that would be great.
> 
> 

I'll send the patch tomorrow.

In the mean time I try to find out what and I why.

It's the xmodmap command at the beginning of ~/.sandboxrc which doesn't
work and probably resets the server which terminates itself then.

With the following hack I'm able to run Xephyr with -terminate and with
working xmodmap:


Petr

--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -282,8 +282,9 @@ class Sandbox:
                 command += "'%s' " % p
             fd.write("""#! /bin/sh
 #TITLE: %s
-/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
 %s &
+sleep 1
+/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
 WM_PID=$!
 dbus-launch --exit-with-session %s