Bug 564386

Summary: sandbox doesn't work with non-standard home directory locations
Product: [Fedora] Fedora Reporter: Dax Kelson <dkelson>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: policycoreutils-2.0.79-2.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-05 03:34:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dax Kelson 2010-02-12 15:48:22 UTC 
Description of problem:

My home directory is /data/home/username

I ran sandbox -X untrusted-app

Shortly after I noticed that my whole GNOME desktop had been sucked into the sandbox. My applications all started segfaulting and the whole GNOME interface went pear shaped. I ended up switching to virtual terminal and control-alt-deleting to reboot. I saw errors during shutdown about busy filesystems not being able to be unmounted.

Closing the sandboxed application did not help.

I'm pretty sure that SELinux handles labeling non-standard home directories with user_home_dir_t correctly. Maybe the logic for that can be adapted for use by sandbox?

Version-Release number of selected component (if applicable):
policycoreutils-sandbox-2.0.78-12.fc12.x86_64
Comment 1 Daniel Walsh 2010-02-17 20:14:48 UTC 
policycoreutils-2.0.79-2 Will check to see if the $HOMEDIR begins with a mount --shared directory, if not it will complain.

$ sandbox -X xterm
/usr/bin/sandbox: 
'/data/home' is required to be a shared mount point for this tool to run.  
'/data/home' can be added to the HOMEDIR variable in /etc/sysconfig/sandbox
 along with a reboot will fix the problem.
Comment 2 Fedora Update System 2010-02-18 15:56:59 UTC 
policycoreutils-2.0.79-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/policycoreutils-2.0.79-2.fc13
Comment 3 Fedora Update System 2010-02-20 00:29:15 UTC 
policycoreutils-2.0.79-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update policycoreutils'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F13/FEDORA-2010-1730
Comment 4 Fedora Update System 2010-03-05 03:33:57 UTC 
policycoreutils-2.0.79-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.