Bug 1281753

Summary: Specifying the MLS/MCS Security Level to run an X based sandbox with, fails
Product: [Fedora] Fedora Reporter: Miroslav Grepl <mgrepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 23CC: dominick.grift, dwalsh, extras-qa, lvrabec, mgrepl, plautrba, sorasl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-159.fc23 selinux-policy-3.13.1-158.2.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1279006 Environment:
Last Closed: 2016-01-22 02:21:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1279006    
Bug Blocks:    

Description Miroslav Grepl 2015-11-13 11:47:38 UTC
+++ This bug was initially created as a clone of Bug #1279006 +++

Description of problem:
Trying to specify an mls/mcs security level to run an X based sandbox fails

Version-Release number of selected component (if applicable):
policycoreutils-python-utils-2.4-14.fc23.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Try to start and X based sandbox
2.
3.

Actual results:
sandbox -X -t sandbox_web_t -l s0:c455,c394 -H ~/firefox_home/ -T ~/firefox_tmp/ firefox
/usr/bin/sandbox:440: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded.
  from gi.repository import Gtk
grep: /home/user/.sandboxrc: Permission denied
mkdir: cannot create directory ‘/home/user’: Permission denied
/usr/share/sandbox/sandboxX.sh: line 10: /home/user/.config/openbox/rc.xml: Permission denied

audit msg

type=SELINUX_ERR msg=audit(1446866347.983:1067): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c394,c455 newcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c394,c455

Expected results:
The X based sandbox starts just as it would if the level was left to be random.

Additional info:

--- Additional comment from Miroslav Grepl on 2015-11-09 03:14:13 EST ---

Nice catch. 

It looks there is more issues and given MCS is not propagated. The mentioned AVC does not block it. There are another AVCs caused by this reproducer.

Comment 1 Lukas Vrabec 2015-12-08 13:49:32 UTC
Mirek, do you have these AVCs? 

Thank you.

Comment 2 Miroslav Grepl 2015-12-11 08:33:06 UTC
(In reply to Lukas Vrabec from comment #1)
> Mirek, do you have these AVCs? 
> 
> Thank you.

Just try to run

sandbox -X -t sandbox_web_t -l s0:c455,c394 -H ~/firefox_home/ -T ~/firefox_tmp/ firefox

and you will get them.

Comment 3 Miroslav Grepl 2015-12-20 11:56:43 UTC
Together with policycoreutils-sandbox fixes and with

https://github.com/fedora-selinux/selinux-policy/commit/05ddb159c46c5eda87df6d4df35519b180d9bf17

we would have it working.

Comment 4 Fedora Update System 2016-01-14 13:16:08 UTC
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

Comment 5 Fedora Update System 2016-01-15 18:54:03 UTC
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

Comment 6 Fedora Update System 2016-01-22 02:21:06 UTC
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.