Bug 798916
| Summary: | SELinux is preventing /usr/bin/Xephyr from using the signal access on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Germano Massullo <germano.massullo> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.10.0-80.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-24 00:37:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you run it this way $ sandbox -X -t sandbox_web_t firefox -W metacity Xephyr does not work for a reason. Black screen plus selinux warning sorry black X window, not entire screen Does it work in permissive mode? $ setenfroce 0 $ sandbox -X -t sandbox_web_t firefox -W metacity no it doesn't Any errors or warnings in your terminal? In terminal not, I had another SELinux warning
SELinux is preventing /usr/bin/Xephyr from using the signal access on a process.
***** Plugin catchall (100. confidence) suggerisce****************************
Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Informazioni addizionali:
Contesto della sorgente unconfined_u:unconfined_r:sandbox_xserver_t:s0:c48
8,c623
Contesto target unconfined_u:unconfined_r:sandbox_xserver_t:s0:c48
8,c623
Oggetti target [ process ]
Sorgente Xephyr
Percorso della sorgente /usr/bin/Xephyr
Porta <Sconosciuto>
Host Magic-4
Sorgente Pacchetti RPM xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64
Pacchetti RPM target
RPM della policy selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato True
Tipo di policy targeted
Modalità Enforcing Permissive
Host Name Magic-4
Piattaforma Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb
21 01:40:47 UTC 2012 x86_64 x86_64
Conteggio avvisi 1
Primo visto gio 01 mar 2012 13:23:45 CET
Ultimo visto gio 01 mar 2012 13:23:45 CET
ID locale
Messaggi Raw Audit
type=AVC msg=audit(1330604625.927:147): avc: denied { signal } for pid=5873 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 tclass=process
type=SYSCALL msg=audit(1330604625.927:147): arch=x86_64 syscall=tgkill success=yes exit=0 a0=16f1 a1=16f1 a2=22 a3=0 items=0 ppid=5864 pid=5873 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 key=(null)
Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal
audit2allow
#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;
audit2allow -R
#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;
I see no reason not to allow this. Yes, but I am trying to figure out why it does not work also in permissive mode. Try sandbox -X -t sandbox_web_t -W metacity firefox (In reply to comment #10) > Try > > sandbox -X -t sandbox_web_t -W metacity firefox comment #1 and #2 Except you had firefox -W metacity Rather then -W metacity firefox Meaning the sandbox never saw the alternate window manager. Ah, you are right. Have I to do some other special tries? No, just use $ sandbox -X -t sandbox_web_t -W metacity firefox it works but it gives the warning selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 Package selinux-policy-3.10.0-80.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 then log in and leave karma (feedback). While doing rpm -Uvh --force http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/81.fc16/noarch/selinux-policy-3.10.0-81.fc16.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/81.fc16/noarch/selinux-policy-targeted-3.10.0-81.fc16.noarch.rpm I obtained /usr/share/selinux/devel/include/apps/jockey.if: Syntax error on line 194666 jockey_cache_t [type=IDENTIFIER] After testing I will relase the karma point selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. Well done $sandbox -X -t sandbox_web_t -W metacity firefox works well |
Speaking about internet security with the guys in #fedora-selinux on Freenode, they suggested me to try to run firefox in a sandbox So I first did: #yum install policycoreutils-sandbox and then $sandbox -X -t sandbox_web_t firefox but I got a black screen with only X mouse pointer, and I got the following SELinux warning. SELinux is preventing /usr/bin/Xephyr from using the signal access on a process. ***** Plugin catchall (100. confidence) suggerisce**************************** Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default. Quindiyou should report this as a bug. You can generate a local policy module to allow this access. Fai allow this access for now by executing: # grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:sandbox_xserver_t:s0:c68 5,c767 Contesto target unconfined_u:unconfined_r:sandbox_xserver_t:s0:c68 5,c767 Oggetti target [ process ] Sorgente Xephyr Percorso della sorgente /usr/bin/Xephyr Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64 Pacchetti RPM target RPM della policy selinux-policy-3.10.0-75.fc16.noarch Selinux abilitato True Tipo di policy targeted Modalità Enforcing Enforcing Host Name Magic-4 Piattaforma Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64 Conteggio avvisi 1 Primo visto gio 01 mar 2012 10:05:28 CET Ultimo visto gio 01 mar 2012 10:05:28 CET ID locale Messaggi Raw Audit type=AVC msg=audit(1330592728.579:116): avc: denied { signal } for pid=4034 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 tclass=process type=SYSCALL msg=audit(1330592728.579:116): arch=x86_64 syscall=tgkill success=no exit=EACCES a0=fc2 a1=fc2 a2=22 a3=0 items=0 ppid=4027 pid=4034 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 key=(null) Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal audit2allow #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; audit2allow -R #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; After that they asked me if I was using KDE (yes) so suggested me to use sandbox -t sandbox_web_t -W metacity -w 1672x968 -X firefox and it worked but it generated the same SELinux warning SELinux is preventing /usr/bin/Xephyr from using the signal access on a process. ***** Plugin catchall (100. confidence) suggerisce**************************** Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default. Quindiyou should report this as a bug. You can generate a local policy module to allow this access. Fai allow this access for now by executing: # grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:sandbox_xserver_t:s0:c21 6,c791 Contesto target unconfined_u:unconfined_r:sandbox_xserver_t:s0:c21 6,c791 Oggetti target [ process ] Sorgente Xephyr Percorso della sorgente /usr/bin/Xephyr Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64 Pacchetti RPM target RPM della policy selinux-policy-3.10.0-75.fc16.noarch Selinux abilitato True Tipo di policy targeted Modalità Enforcing Enforcing Host Name Magic-4 Piattaforma Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64 Conteggio avvisi 1 Primo visto gio 01 mar 2012 10:20:03 CET Ultimo visto gio 01 mar 2012 10:20:03 CET ID locale Messaggi Raw Audit type=AVC msg=audit(1330593603.991:118): avc: denied { signal } for pid=4420 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 tclass=process type=SYSCALL msg=audit(1330593603.991:118): arch=x86_64 syscall=tgkill success=no exit=EACCES a0=1144 a1=1144 a2=22 a3=0 items=0 ppid=4413 pid=4420 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 key=(null) Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal audit2allow #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; audit2allow -R #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; Additional infos: KDE 4.7 nVidia drivers 290.10