Bug 1093702

Summary: sandboxed X apps no longer working
Product: [Fedora] Fedora Reporter: Patrick C. F. Ernzer <pcfe>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 20CC: amit.shah, dwalsh, luto, rhel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-06 02:55:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1035427    
Bug Blocks:    

Description Patrick C. F. Ernzer 2014-05-02 12:02:52 UTC 
Description of problem:
Up until recently, I could do 
sandbox -t sandbox_web_t -X firefox http://www.redhat.com/
just fine. Since applying updates a few days ago[1] I get
$ sandbox -t sandbox_web_t -X firefox http://www.redhat.com/
Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted


Version-Release number of selected component (if applicable):
policycoreutils-python-2.2.5-3.fc20.x86_64
selinux-policy-3.12.1-153.fc20.noarch
selinux-policy-targeted-3.12.1-153.fc20.noarch
selinux-policy-devel-3.12.1-153.fc20.noarch
selinux-policy-sandbox-3.12.1-153.fc20.noarch


How reproducible:
always

Steps to Reproduce:
1. sandbox -t sandbox_web_t -X firefox http://www.redhat.com/

Actual results:
Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted


Expected results:
sandboxed firefox opens and displays http://www.redhat.com/

Additional info:
- I tried both without ~/.sandboxrc and with the file (as taken from comment #17 of bug 1017727) same result.

- While, up to ~1 week ago, this worked fine; selinux-policy-sandbox was not installed. I installed that just now, no change.

- $ sandbox id -Z
unconfined_u:unconfined_r:sandbox_t:s0:c45,c520

- sandbox also fails in permissive mode

- If I have a ~/.sandboxrc ( https://bugzilla.redhat.com/show_bug.cgi?id=1017727#c17 )
$ /usr/share/sandbox/sandboxX.sh
does give me an empty window and, once I click into it (or press a key while that window has focus), an xterm.

- $ Xephyr -displayfd 5
gives me an empty Xephyr window, as expected.

- the failure is not limited to sandboxed firefox, this fails just the same
$ /usr/bin/sandbox  -X okular 
Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted

- firefox is the X app I most often run sandboxed (e.g. when receiving short URLs in an IRC channel) but opening PDF in a sandboxed okular is also a functionality I miss (that also worked previously, but it has been a while since I needed that on this machine)

- # semodule -l | grep sand
sandbox	1.0.0	
sandboxX	1.0.0	


[1] selinux-policy-targeted-3.12.1-153.fc20.noarch
I am not sure if this worked with policycoreutils-2.2.5-3 or only the previous version. That update was applied a week before selinux-policy-targeted and I am not sure if I ran a sandboxed X app with policycoreutils-2.2.5-3 but the previous selinux-policy-targeted.
Comment 1 Daniel Walsh 2014-05-03 10:18:55 UTC 
This is caused by a change to libcap-ng that is being reverted.
Comment 2 Patrick C. F. Ernzer 2014-05-04 09:32:38 UTC 
Thanks Dan!

I've downgraded from libcap-ng-0.7.4-1.fc20 to libcap-ng-0.7.3-6.fc20 and sandbox works again as expected.

Updating to libcap-ng-0.7.4-2.fc21 also solves this bug. I'll stay in the rawhide version for now.
Comment 3 GV 2014-06-15 18:19:44 UTC 
I am unable to use sandbox with libcap-ng-0.7.4-1.fc19. Reverting to libcap-ng-utils-0.7.3-3.fc19 and sandbox works again!
Comment 4 GV 2014-06-15 18:38:42 UTC 
After upgrading policycoreutils-sandbox, selinux-policy-targeted and selinux-policy from updates-testing and with libcap-ng-0.7.4-1.fc19 now I get denials:

type=AVC msg=audit(1402857206.622:432): avc:  denied  { dyntransition } for  pid=25527 comm="seunshare" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c468,c530 tclass=process
Comment 5 GV 2014-06-15 18:42:51 UTC 
And this one (after allowing dyntransition):

type=AVC msg=audit(1402857536.856:456): avc:  denied  { connectto } for  pid=25703 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c267,c967 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket

Allowing connectto for Xephyr finally make sandbox work again.
Comment 6 GV 2014-06-15 18:44:06 UTC 
Still firefox does not work. Nice. :-(
Comment 7 Andy Lutomirski 2015-03-06 02:55:54 UTC 
For simplicity, I'm marking this as a duplicate.

*** This bug has been marked as a duplicate of bug 1103622 ***