Bug 2310845
| Summary: | sandbox -X seems to output nothing and no AVCs | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Krish Jain <kjain7> | ||||
| Component: | policycoreutils | Assignee: | Petr Lautrbach <plautrba> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 40 | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, plautrba, vmojzis, zpytela | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | policycoreutils-3.7-3.fc40 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2024-09-25 02:53:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Krish Jain
2024-09-09 13:42:26 UTC
Works for me with selinux-policy-41.17-1.fc41.noarch I don't see any seunshare problem in logs Is it a fresh system? Do you see any changes in: # rpm -V policycoreutils-sandbox Would reinstall of sandbox help: # dnf reinstall policycoreutils-sandbox Does it work in permissive mode? sudo setenforce 0; sandbox -X firefox kjain@zephyr:~$ rpm -V policycoreutils-sandbox kjain@zephyr:~$ sudo dnf reinstall policycoreutils-sandbox [sudo] password for kjain: Fedora 40 - x86_64 - Updates 9.7 kB/s | 5.5 kB 00:00 Dependencies resolved. ======================================================================================================== Package Architecture Version Repository Size ======================================================================================================== Reinstalling: policycoreutils-sandbox x86_64 3.6-3.fc40 fedora 57 k Transaction Summary ======================================================================================================== Total download size: 57 k Installed size: 135 k Is this ok [y/N]: y Downloading Packages: policycoreutils-sandbox-3.6-3.fc40.x86_64.rpm 73 kB/s | 57 kB 00:00 -------------------------------------------------------------------------------------------------------- Total 58 kB/s | 57 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : policycoreutils-sandbox-3.6-3.fc40.x86_64 1/2 Cleanup : policycoreutils-sandbox-3.6-3.fc40.x86_64 2/2 Running scriptlet: policycoreutils-sandbox-3.6-3.fc40.x86_64 2/2 Reinstalled: policycoreutils-sandbox-3.6-3.fc40.x86_64 Complete! kjain@zephyr:~$ sandbox -X firefox kjain@zephyr:~$ Doesn't work with sudo setenforce 0; sandbox -X firefox. Dan Walsh already asked me in the email thread Does it work on Rawhide with policycoreutils-3.7 ? I did test on Rawhide a while back. Not sure what version of policycoreutils but it didn't work. Dan says this > I played with this a little and sandbox COMMAND seems to be working, but sandbox -X COMMAND is failing silenting. Nothing I saw in the strace to help me understand why. Someone needs to examine the sandbox tools to see why they are exiting. > The first command is just exiting. $ sandbox -X id -Z But if I drop the -X option, it works. $ sandbox id -Z unconfined_u:unconfined_r:sandbox_t:s0:c113,c922 Looks like an issue in seunshare. To install policycoreutils-3.7 you can use my COPR repo: $ sudo dnf copr enable plautrba/selinux-fedora $ sudo dnf update policycoreutils-sandbox with this, `sandbox -X firefox` works in permissive. In order to make it run in enforcing, you would need the latest selinux-policy from rawhide. Tested, I can confirm this works. Can you backport this to Fedora release (40)? FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae FEDORA-2024-29469eb8ae has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-29469eb8ae` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. |