Bug 1474082
| Summary: | sandbox -X no longer working, SELinux violations | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dimitris <dimitris.on.linux> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 27 | CC: | carl, dwalsh, herrold, idayson, lvrabec, mgrepl, mkp, mpalenik, plautrba, pmoore, vmojzis |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-283.21.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-01-10 02:05:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
It's related to Wayland. The same command works with X.org.
When Wayland is used, there are file like '/run/user/1001/wayland-cursor-shared-2Xw77u' created, mapped and removed. And it's not allowed in the current policy.
The following rules should allow 'sandbox -X' to run applications in Wayland in Fedora 26:
allow sandbox_x_t user_tmp_t:dir { write add_name remove_name };
allow sandbox_x_t user_tmp_t:file { map create unlink };
allow sandbox_x_t sandbox_x_client_tmpfs_t:file { map };
In Fedora 27 we support nnp_transition therefore we can use them:
allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition;
allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition;
allow sandbox_x_client_t user_tmp_t:dir { write add_name remove_name };
allow sandbox_x_client_t user_tmp_t:file { map create unlink };
allow sandbox_x_client_t sandbox_x_client_tmpfs_t:file { map };
Note, I need to do more investigation around Wayland and how to use it and investigate a possible impact of the rules above. For now you can either switch to X.org or use the rules in a local temporary policy.
Just updating to F27 (still reproduces) *** Bug 1528783 has been marked as a duplicate of this bug. *** commit a8e9d06aa170c2f490aa03539f5540a268275dc6 (HEAD -> f27, origin/f27)
Author: Lukas Vrabec <lvrabec>
Date: Wed Jan 3 17:57:23 2018 +0100
Make working SELinux sandbox with Wayland. BZ(1474082)
selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 X apps work as expected but I'm afraid that PulseAudio is broken still. selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Still fails for me.
grep denied /var/log/audit/audit.log | audit2allow | less
#============= sandbox_x_client_t ==============
allow sandbox_x_client_t cert_t:file map;
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow sandbox_x_client_t http_port_t:tcp_socket name_connect;
allow sandbox_x_client_t lib_t:dir setattr;
allow sandbox_x_client_t system_dbusd_var_lib_t:lnk_file { getattr read };
allow sandbox_x_client_t systemd_logind_var_run_t:file read;
#============= sshd_t ==============
allow sshd_t init_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t sandbox_xserver_t:shm destroy;
|
Description of problem: Looks like a regression from F25 (or F24, not quite sure). Version-Release number of selected component (if applicable): 2.6-5.fc26 How reproducible: Every time Steps to Reproduce: 1. run `sandbox -X -t sandbox_x_t evince /tmp/file.pdf` 2. Nested X Server window momentarily pops up 2. Fails, apparently due to a number of SELinux denials Actual results: Can't execute evince in X sandbox like I used to Expected results: Used to be able to use sandboxed evince for random PDFs Additional info: Two AVCs: SELinux is preventing evince from write access on the directory /run/user/1000. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that evince should be allowed write access on the 1000 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'evince' --raw | audit2allow -M my-evince # semodule -X 300 -i my-evince.pp Additional Information: Source Context unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 Target Context system_u:object_r:user_tmp_t:s0 Target Objects /run/user/1000 [ dir ] Source evince Source Path evince Port <Unknown> Host vimes Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vimes Platform Linux vimes 4.11.11-300.fc26.x86_64 #1 SMP Mon Jul 17 16:32:11 UTC 2017 x86_64 x86_64 Alert Count 6 First Seen 2017-07-23 11:26:57 PDT Last Seen 2017-07-23 11:26:58 PDT Local ID e9610547-cb4f-4010-97cc-196bb6b75ae1 Raw Audit Messages type=AVC msg=audit(1500834418.306:1418): avc: denied { write } for pid=24349 comm="xdg-desktop-por" name="/" dev="tmpfs" ino=35074 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 Hash: evince,sandbox_x_t,user_tmp_t,dir,write and: SELinux is preventing evince from read access on the lnk_file /var/lib/dbus/machine-id. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that evince should be allowed read access on the machine-id lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'evince' --raw | audit2allow -M my-evince # semodule -X 300 -i my-evince.pp Additional Information: Source Context unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 Target Context system_u:object_r:system_dbusd_var_lib_t:s0 Target Objects /var/lib/dbus/machine-id [ lnk_file ] Source evince Source Path evince Port <Unknown> Host vimes Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vimes Platform Linux vimes 4.11.11-300.fc26.x86_64 #1 SMP Mon Jul 17 16:32:11 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-07-23 11:26:58 PDT Last Seen 2017-07-23 11:26:58 PDT Local ID 03107ff5-6e62-4322-9a8b-862ee82682b6 Raw Audit Messages type=AVC msg=audit(1500834418.358:1420): avc: denied { read } for pid=24300 comm="evince" name="machine-id" dev="dm-1" ino=12451917 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0 Hash: evince,sandbox_x_t,system_dbusd_var_lib_t,lnk_file,read