On 09/20/2016 02:49 PM, Stephen Smalley wrote: > On 09/19/2016 02:26 PM, Stephen Smalley wrote: >> On 09/19/2016 02:02 PM, Petr Lautrbach wrote: >>> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote: >>>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote: >>>>> Hi, >>>>> >>>>> It seems that sandbox -X is not working anymore on debian. >>>>> >>>>> Xephyr (1.18.4) is giving me the following error: >>>>> >>>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be >>>>> created. >>>>> >>>>> The X socket is not created inside the sandbox and then the application >>>>> can obviously not connect to it. >>>>> >>>>> I'm not sure how this could be fixed, maybe let's seunshare create that >>>>> directory? >>>> >>>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe >>>> they have a fix? >>>> >>>> That is using the Fedora policycoreutils-sandbox package, which yields a >>>> functioning sandbox -X, e.g. sandbox -X firefox works correctly. >>>> >>>> However, if I install sandbox from upstream, e.g. >>>> >>>> cd selinux >>>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel >>>> >>>> then sandbox -X firefox fails immediately, and I have the following in >>>> the audit log: >>>> type=SELINUX_ERR msg=audit(1474295659.424:2189): >>>> op=security_bounded_transition seresult=denied >>>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002 >>>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002 >>> >>> It's most likely not related. Same error can be seen in stock Fedora. >>> >>>> So I guess there are other patches in the Fedora package that are needed? >>> >>> It's this patch >>> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d >>> >>> But the patch bellow works too: >>> >>> --- a/policycoreutils/sandbox/sandboxX.sh >>> +++ b/policycoreutils/sandbox/sandboxX.sh >>> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF >>> </openbox_config> >>> EOF >>> >>> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do >>> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do >>> export DISPLAY=:$D >>> cat > ~/seremote << __EOF >>> #!/bin/sh >>> >>> >>> >>> I'm not sure which one is correct. >> >> I don't know either, but the one above does work and seems simpler, so >> let's go with that one. > > So, if you could re-spin that with a proper subject and signed-off-by, > that would be great. > > I'll send the patch tomorrow. In the mean time I try to find out what and I why. It's the xmodmap command at the beginning of ~/.sandboxrc which doesn't work and probably resets the server which terminates itself then. With the following hack I'm able to run Xephyr with -terminate and with working xmodmap: --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -282,8 +282,9 @@ class Sandbox: command += "'%s' " % p fd.write("""#! /bin/sh #TITLE: %s -/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap %s & +sleep 1 +/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap WM_PID=$! dbus-launch --exit-with-session %s Petr -- Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
