On 09/19/2016 02:02 PM, Petr Lautrbach wrote: > On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote: >> On 09/18/2016 02:39 PM, Laurent Bigonville wrote: >>> Hi, >>> >>> It seems that sandbox -X is not working anymore on debian. >>> >>> Xephyr (1.18.4) is giving me the following error: >>> >>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be >>> created. >>> >>> The X socket is not created inside the sandbox and then the application >>> can obviously not connect to it. >>> >>> I'm not sure how this could be fixed, maybe let's seunshare create that >>> directory? >> >> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe >> they have a fix? >> >> That is using the Fedora policycoreutils-sandbox package, which yields a >> functioning sandbox -X, e.g. sandbox -X firefox works correctly. >> >> However, if I install sandbox from upstream, e.g. >> >> cd selinux >> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel >> >> then sandbox -X firefox fails immediately, and I have the following in >> the audit log: >> type=SELINUX_ERR msg=audit(1474295659.424:2189): >> op=security_bounded_transition seresult=denied >> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002 >> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002 > > It's most likely not related. Same error can be seen in stock Fedora. > >> So I guess there are other patches in the Fedora package that are needed? > > It's this patch > https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d > > But the patch bellow works too: > > --- a/policycoreutils/sandbox/sandboxX.sh > +++ b/policycoreutils/sandbox/sandboxX.sh > @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF > </openbox_config> > EOF > > -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do > +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do > export DISPLAY=:$D > cat > ~/seremote << __EOF > #!/bin/sh > > > > I'm not sure which one is correct. I don't know either, but the one above does work and seems simpler, so let's go with that one. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
