On Fri, Jan 23, 2015 at 8:18 AM, Matthias Runge <mrunge@xxxxxxxxxxxxxxxxx> wrote: > On 23/01/15 16:59, Andrew Lutomirski wrote: > >>> >>> sandbox -X will also add more protection. >> >> Unless I'm mistaken, sandbox -X hasn't worked in almost a year. >> > I gave it a try; > > sandbox -X > /usr/bin/sandbox: > /usr/sbin/seunshare is required for the action you want to perform. > > > Sadly, a naive (and not so naive) dnf reporequery, repoquery and yum > search did not show the right dep. > > Wild guessing solved it for me: > dnf install policycoreutils-sandbox > > And it works (for me) now. > I'm confused. I thought that https://bugzilla.redhat.com/show_bug.cgi?id=1103622 affected everyone. For me: $ sandbox echo true true $ sandbox -X xterm [nothing happens] My logs end up full of: [149118.893566] audit: type=1400 audit(1422030456.097:40): avc: denied { connectto } for pid=18971 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c87,c567 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 [149123.720019] audit: type=1400 audit(1422030460.929:41): avc: denied { connectto } for pid=18995 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c77,c197 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 This is true even on 3.18 kernels, which have "selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.", which was intended to give the selinux policy an extra way out of the mess that caused this problem in the first place. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
