Bug 970205

Summary: Cannot run xvfb-run in mock with SELinux set to enforcing, targeted
Product: Red Hat Enterprise Linux 6 Reporter: Jonathan Underwood <jonathan.underwood>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CANTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, fedora, jokatzer, mattdm, mgrepl, michel, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 857709 Environment:
Last Closed: 2015-02-25 10:53:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 857709    
Bug Blocks:    

Description Jonathan Underwood 2013-06-03 16:53:09 UTC 
+++ This bug was initially created as a clone of Bug #857709 +++

This affects RHEL 6.4 as well - any chance of pushing the fix to that as well?


Description of problem:
I'm trying to rebuild a package that requires access to the display during its build and test process, and thus needs to use xvfb-run during the package building process.

This works fine on the Koji build servers, and locally using mock after using 'setenforce 0' but fails if SELinux is set to the default of enforcing, policy=targeted

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-146.fc17.noarch
mock-1.1.26-2.fc17.noarch
xorg-x11-xauth-1.0.7-1.fc17.x86_64 (inside mock)
xorg-x11-server-Xvfb-1.12.3-1.fc17 (inside mock)

How reproducible:
Always

Steps to Reproduce:
1. mock -r fedora-17-<any> init
2. mock -r fedora-17-<any> install xauth xvfb 
3. mock shell
4. xvfb-run true
5. echo $?
  
Actual results:
Return code is 127 instead of 0. If a real command is run (e.g. make) xvfb-run returns immediately without printing anything. Also test with dataquay (review request: https://bugzilla.redhat.com/show_bug.cgi?id=857705)

Expected results:
xvfb-run runs the provided command normally, providing normal outputs and returning the command's exit status

Additional info:
See attached screenshot for the errors caught by the SELinux troubleshooter.

--- Additional comment from Miroslav Grepl on 2012-09-17 03:59:11 EDT ---

Could you attach raw AVC msgs from the /var/log/audit/audit.log file?

--- Additional comment from Michel Alexandre Salim on 2012-09-28 03:00:04 EDT ---

Sure. This is for Fedora 18; my Fedora 17 machine is at home but the failure is identical

--- Additional comment from Joachim Katzer on 2013-01-03 14:44:24 EST ---

Same problem on RHEL6 and mock-1.1.28-1.el6 from EPEL.

Problem cannot be solved by a policy module generated by audit2allow because xauth (inside mock, called by xvfb-run) tries to access unlabelled files, generated during a mock build.

--- Additional comment from Daniel Walsh on 2013-02-19 23:55:42 EST ---

Well I don't understand the comment about xauth audit2allow not being allowed to generate a policy for this, since it looks like all you need is:

allow xauth_t mock_var_lib_t:chr_file append;

More importantly we don't want mock_t transitioning to any other processes.  The question I have is how is the xauth_t processes starting.

 sesearch -T -s mock_t 
Found 13 semantic te rules:
   type_transition mock_t mock_build_exec_t : process mock_build_t; 
   type_transition mock_t mock_tmp_t : process mock_build_t; 
   type_transition mock_t tmp_t : file mock_tmp_t; 
   type_transition mock_t tmp_t : dir mock_tmp_t; 
   type_transition mock_t tmp_t : lnk_file mock_tmp_t; 
   type_transition mock_t var_t : file mock_cache_t; 
   type_transition mock_t var_t : dir mock_cache_t; 
   type_transition mock_t abrt_helper_exec_t : process abrt_helper_t; 
   type_transition mock_t mount_exec_t : process mount_t; 
   type_transition mock_t fusermount_exec_t : process mount_t; 
   type_transition mock_t var_lib_t : file mock_var_lib_t; 
   type_transition mock_t var_lib_t : dir mock_var_lib_t; 
   type_transition mock_t mock_var_lib_t : process mock_build_t; 

(I have just removed the transition to mount_t in Rawhide,)

sesearch -T -s mock_build_t 
Found 7 semantic te rules:
   type_transition mock_build_t var_lib_t : file mock_var_lib_t; 
   type_transition mock_build_t var_lib_t : dir mock_var_lib_t; 
   type_transition mock_build_t tmp_t : file mock_tmp_t; 
   type_transition mock_build_t tmp_t : dir mock_tmp_t; 
   type_transition mock_build_t var_t : file mock_cache_t; 
   type_transition mock_build_t var_t : dir mock_cache_t; 
   type_transition mock_build_t abrt_helper_exec_t : process abrt_helper_t;

--- Additional comment from Daniel Walsh on 2013-02-20 02:44:47 EST ---

Thinking a little more about this.  When you execute mock shell the context is probably running as unconfined_t.

sesearch -T -s unconfined_t -t  xauth_exec_t
Found 1 semantic te rules:
   type_transition unconfined_t xauth_exec_t : process xauth_t; 


If unconfined_t executed a xauth_exec_t program then we could have this transition happen.

--- Additional comment from Miroslav Grepl on 2013-02-20 05:28:17 EST ---

Backported.

--- Additional comment from Miroslav Grepl on 2013-02-20 05:28:53 EST ---

Ah, wrong bug number.

--- Additional comment from Fedora Update System on 2013-02-22 03:22:10 EST ---

selinux-policy-3.11.1-81.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-81.fc18

--- Additional comment from Fedora Update System on 2013-02-24 04:01:25 EST ---

selinux-policy-3.11.1-81.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Wolfgang Ulbrich 2013-07-21 15:49:27 UTC 
I run into the same error if i try to build caja-dropbox at rpmfusion build server.
http://buildsys.rpmfusion.org/build-status/job.psp?uid=17892
http://buildsys.rpmfusion.org/logs/fedora-development-rpmfusion_nonfree/17892-caja-dropbox-1.6.0-3.fc20/x86_64/build.log

+ cd nautilus-dropbox-1.6.0
+ xvfb-run -a ./configure 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches  -m64 -mtune=generic'
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.2XwVZo (%build)
    Bad exit status from /var/tmp/rpm-tmp.2XwVZo (%build)
Child return code was: 1
EXCEPTION: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target x86_64 --nodeps builddir/build/SPECS/caja-dropbox.spec']
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/mockbuild/trace_decorator.py", line 70, in trace
    result = func(*args, **kw)
  File "/usr/lib/python2.6/site-packages/mockbuild/util.py", line 352, in do
    raise mockbuild.exception.Error, ("Command failed. See logs for output.\n # %s" % (command,), child.returncode)
Error: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target x86_64 --nodeps builddir/build/SPECS/caja-dropbox.spec']
LEAVE do --> EXCEPTION RAISED

It would be very helpfull if you could fix that for RHEL6 too.

Thank you
Comment 3 Miroslav Grepl 2013-08-07 06:11:01 UTC 
Well the problem is with mock+RHEL6. Where we don't have a support for mock. Could you run it on RHEL6 system and attach actual AVC msgs?
Comment 4 Wolfgang Ulbrich 2013-08-07 10:03:16 UTC 
Sorry, i don't have a RHEL6 system.