Bug 2149142
| Summary: | sandbox -X stopped working under Wayland on Fedora 37 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Timo Trinks <ttrinks> |
| Component: | policycoreutils | Assignee: | Petr Lautrbach <plautrba> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 40 | CC: | dwalsh, lvrabec, mmalik, plautrba, vmojzis |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | policycoreutils-3.7-3.fc40 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-09-25 02:53:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Timo Trinks
2022-11-29 02:09:49 UTC
Something has changed in respect of X server access control. It works `xhost +` is run before `sandbox -X firefox` Hi Petr! I can confirm that a `xhost +SI:localuser:<username>` addresses this under Wayland on Fedora 37 - thank you very much! Cheers, Timo It seems to be related to this change https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2633 and therefore only authorized X clients can connect. Other compositors like sway or wayfire still use "SI:localuser:<username>" and are not affected. I guess that we would need to propagate .Xauthority file into unshared sandbox environment. In the mean time I suggest to use the workaround mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2149142#c2 xhost +SI:localuser:<username> Hello Petr! Thanks for having another look. As per my previous comment the proposed workaround (xhost +SI:localuser:<username>) works (on Wayland) and I have been using it ever since. A more pressing issue is that audio has stopped working in SELinux sandboxed (via /usr/bin/sandbox) applications [1]. This experience is not isolated to me and has been reported by other users (see details in Bugzilla 2215499 [1]). Not sure whether this is more of a sandbox <-> dbus <-> selinux issue, perhaps you have an idea... Cheers, Timo [1] https://bugzilla.redhat.com/show_bug.cgi?id=2215499 This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. I'm working on support for XWayland in sandbox when it's run in Wayland session. The development branch is https://github.com/bachradsusi/selinux/tree/XWayland You can test it using rpms from my https://copr.fedorainfracloud.org/coprs/plautrba/sandbox-wayland/ COPR repository. In my environment improved sandbox -X works without `xhost` and audio works as expected. It requires Rawhide selinux-policy package and this small local SELinux module: module sandbox-wayland 1.0; require { type sandbox_xserver_tmpfs_t; type sysctl_dev_t; type sandbox_xserver_t; type sandbox_web_client_t; type dri_device_t; class file { getattr map open read write }; class dir search; class chr_file { read write }; } #============= sandbox_xserver_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow sandbox_xserver_t sandbox_xserver_tmpfs_t:file map; allow sandbox_xserver_t sysctl_dev_t:dir search; allow sandbox_xserver_t sysctl_dev_t:file { getattr open read }; allow sandbox_web_client_t dri_device_t:chr_file { read write }; allow sandbox_web_client_t sandbox_xserver_tmpfs_t:file { read write }; It would be great if you tested it and provide me feedback how it works for you. This message is a reminder that Fedora Linux 38 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 38 on 2024-05-21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '38'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 38 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae FEDORA-2024-29469eb8ae has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-29469eb8ae` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. (In reply to Petr Lautrbach from comment #6) > I'm working on support for XWayland in sandbox when it's run in Wayland > session. > > The development branch is > https://github.com/bachradsusi/selinux/tree/XWayland > You can test it using rpms from my > https://copr.fedorainfracloud.org/coprs/plautrba/sandbox-wayland/ COPR > repository. > > In my environment improved sandbox -X works without `xhost` and audio works > as expected. > > It requires Rawhide selinux-policy package and this small local SELinux > module: > > > module sandbox-wayland 1.0; > > require { > type sandbox_xserver_tmpfs_t; > type sysctl_dev_t; > type sandbox_xserver_t; > type sandbox_web_client_t; > type dri_device_t; > class file { getattr map open read write }; > class dir search; > class chr_file { read write }; > } > > #============= sandbox_xserver_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' > allow sandbox_xserver_t sandbox_xserver_tmpfs_t:file map; > allow sandbox_xserver_t sysctl_dev_t:dir search; > allow sandbox_xserver_t sysctl_dev_t:file { getattr open read }; > > allow sandbox_web_client_t dri_device_t:chr_file { read write }; > allow sandbox_web_client_t sandbox_xserver_tmpfs_t:file { read write }; > > > > It would be great if you tested it and provide me feedback how it works for > you. Sorry, @plautrba - I only saw this now (too busy with other stuff). This is great!! - any chance to get this into the official Fedora repos asap? FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. |