| Summary: | Sandbox does not run with NX client | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | paslebihan |
| Component: | nx | Assignee: | Axel Thimm <axel.thimm> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 13 | CC: | axel.thimm, dwalsh, gwync, mgrepl, ville.skytta |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-27 11:50:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Desktop : Gnome or XFCE If you run Xephyr directly does it work? Are you seeing any AVC messages? Yes Xephyr works. Even launching directly /usr/share/sandbox/sandboxX.sh works. Then you must be getting AVC's I don't see any AVC in /var/log/messages. Besides, the behavior is the same in permissive mode (setenforce 0). In that case this is a problem of namespacing. The $HOME and /tmp are being mounted over before the Xephyr is started. I guess you would have to figure out the files that are being mounted over. It could also be a bug in that NX is looking for /tmp/.X11-unix/X0 rather than using the abstract namespace. Lets see if the nx guys have any ideas. Could you explain this procedure in the program sandbox ?
def __copyfiles(self):
files = self.__init_files + self.__paths
homedir=pwd.getpwuid(os.getuid()).pw_dir
for f in files:
copyfile(f, homedir, self.__homedir)
copyfile(f, "/tmp", self.__tmpdir)
Does it perform a copy of all files in homedir and /tmp to the mounted polyinstanciated folders ?
What represents the variable 'files' in the loop 'for f in files:' ?
sandbox -i and sandbox -I populate files. For example. sandbox -i ~/.mozilla -X -t sandbox_web_t -W metacity -w 1000x900 firefox $* Does that mean that, unless -i is used, the mounted /tmp and homedir are empty ? When trying under NX (with setenforce 0) : sandbox -i ~/.mozilla -X xterm the program aborts and displays 'File exists'. Is that normal ? When trying : sandbox -i /tmp/.X11-unix -X xterm it displays : [Errno 6] No such device or address: '/tmp/.X11-unix/X2000' Same problem. You would want to do sandbox -i NXFILES -X xterm to make this work. What is happening I believe is some file used by NX to allow access to the remote display is not being passed. It could be ~/.Xauthority or something like /tmp/.X11-unix directory. What do these show? echo $XAUTHORITY echo $DISPLAY $XAUTHORITY is blank $DISPLAY is :2000.0 Is NX only listening at /tmp/.X11-unix/X2000 and not at @/tmp/.X11-unix/X2000 It should use that by default. Apparently it is not a NX problem. Indeed, the same problem occurs when I connect using ssh + XMing (Xserver under Windows). I can launch xterm or Xephyr in a window but the command 'sandbox -X xterm' fails with the message 'Xephyr cannot open host display. Is DISPLAY set?' Well they both have the same bug. ssh and NX, in that they are relying on /tmp containing /tmp/.X11-unix/... They both should be using abstract namespace like the X Server does. Then the user can do what he wants with /tmp, including mount over it. nx and freenx-server both have /tmp not @/tmp abstract namespace for /tmp/.X11-unix and several other nx specific bits. One could s|/tmp/.X11-unix|@/tmp/.X11-unix|g on the source and hope for the best. Since nx/freenx are not linux specific a patch would not make it upstream. Given that ssh is not likely to be patched, maybe there could be another solution to passing xauthority/display? Any chance of just setting up fall backs. This is what xlib is doing. It tries both real and abstract namespace. The same problem occurs using pam_namespace.so in /etc/pam.d/sshd. Freenx does not work with a /tmp folder polyinstanciated. It seems related to https://bugzilla.redhat.com/show_bug.cgi?id=503181. The problem with pam_namespace.so and the polyinstanciation of /tmp is solved in adding in namespace.init : if [ "$1" = /tmp ]; then mkdir -p -- "/tmp/.X11-unix" chmod 1777 "/tmp/.X11-unix" fi The lack of the folder .X11-unix was preventing the execution of FreeNX. This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: The sandbox screen does not display via NX client. Version-Release number of selected component (if applicable): 2.0.83-33.1.fc13 How reproducible: Always Steps : The freenx-server.i686 package is installed on the server. The policycoreutils-sandbox.i686 is installed on the server. The server is accessed by a NoMachine NX client. Under the NX client, when launching the sandbox program, for example by : sandbox -X xterm the process dies without displaying a screen. Additional info: The problem comes from the Xephyr server that complains : 'Xephyr cannot open host display. Is DISPLAY set ?'. Xephyr is called in the bash file /usr/share/sandbox/sandboxX.sh by : /usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1