Bug 976995

Summary: cannot use anymore a web browser in a sandbox
Product: [Fedora] Fedora Reporter: Alphonse Steiner <alphsteiner>
Component: xorg-x11-serverAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: alphsteiner, dallan, dominick.grift, dwalsh, mgrepl, pcfe, sergio, xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: xorg-x11-server-1.14.2-5.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-20 09:44:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix the segfault none

Description Alphonse Steiner 2013-06-22 10:29:43 UTC 
Description of problem:
The command "sandbox -X -t sandbox_web_t midori" that used to work in fedora 17
fails in fedora 19.

Version-Release number of selected component (if applicable)
selinux-policy-3.12.1-55.fc19


Additional info:
Turning 'dontaudit' off, here are the denials (none otherwise, or only the user_dev_pts with policy release -52):


type=AVC msg=audit(1371893808.778:1881): avc:  denied  { rlimitinh } for  pid=21283 comm="seunshare" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.778:1881): avc:  denied  { siginh } for  pid=21283 comm="seunshare" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.778:1881): avc:  denied  { noatsecure } for  pid=21283 comm="seunshare" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.784:1882): avc:  denied  { read } for  pid=21283 comm="seunshare" name="mls" dev="selinuxfs" ino=12 scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1371893808.787:1884): avc:  denied  { rlimitinh } for  pid=21286 comm="sandboxX.sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.787:1884): avc:  denied  { siginh } for  pid=21286 comm="sandboxX.sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.787:1884): avc:  denied  { noatsecure } for  pid=21286 comm="sandboxX.sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.790:1885): avc:  denied  { open } for  pid=21286 comm="sandboxX.sh" path="/dev/pts/4" dev="devpts" ino=7 scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1371893808.806:1886): avc:  denied  { rlimitinh } for  pid=21295 comm="Xephyr" scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:staff_r:sandbox_xserver_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.806:1886): avc:  denied  { siginh } for  pid=21295 comm="Xephyr" scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:staff_r:sandbox_xserver_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.806:1886): avc:  denied  { noatsecure } for  pid=21295 comm="Xephyr" scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:staff_r:sandbox_xserver_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.868:1887): avc:  denied  { rlimitinh } for  pid=21298 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.868:1887): avc:  denied  { siginh } for  pid=21298 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.868:1887): avc:  denied  { noatsecure } for  pid=21298 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.916:1888): avc:  denied  { rlimitinh } for  pid=21302 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.916:1888): avc:  denied  { siginh } for  pid=21302 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.916:1888): avc:  denied  { noatsecure } for  pid=21302 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Comment 1 Miroslav Grepl 2013-06-24 08:51:09 UTC 
It works for me. Does it work in permissive mode?
Comment 2 Alphonse Steiner 2013-06-24 09:39:47 UTC 
Damn, I was sure I have already tried that. Same problem in permissive mode, so the problem is elsewhere. I am feeling quite ashamed now.. you can certainly close this report.
What is your version of sandbox?
It is a fresh install with the same home partition, so it must be a problem with a configuration file somewhere. Does someone have any clue on where to look at? It happens on all accounts, even new ones.
Comment 3 Alphonse Steiner 2013-06-24 10:09:33 UTC 
It is the '-X' argument that is faulty. Without it, the application run (at least in permissive mode).
Comment 4 Daniel Walsh 2013-06-24 15:10:04 UTC 
No the problem is with Xephry, I believe.

remove --resizable option in  /usr/share/sandbox/sandboxX.sh

And see if this fixes the problem.
Comment 5 Alphonse Steiner 2013-06-30 09:04:47 UTC 
I have removed the option. I am using the command "sandbox -X xterm" for testing, and it fails even in permissive mode.
Comment 6 Alphonse Steiner 2013-06-30 09:10:19 UTC 
Same result using the file /usr/share/sandbox/sandboxX.sh from fedora 17.
Comment 7 Alphonse Steiner 2013-06-30 09:28:41 UTC 
You're right Daniel, the problem is with Xephyr. I have a segfault using it alone:
Xephyr -ac -br -noreset -screen 800x600 :2

(EE) 
(EE) Backtrace:
(EE) 0: Xephyr (OsLookupColor+0x129) [0x4672b9]
(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7f71e0547f9f]
(EE) 2: Xephyr (XNFprintf+0x9aea) [0x4809fa]
(EE) 3: Xephyr (XNFprintf+0x8dc7) [0x47e967]
(EE) 4: Xephyr (XNFprintf+0x4538) [0x475e78]
(EE) 5: Xephyr (ddxGiveUp+0xf27) [0x48e737]
(EE) 6: Xephyr (AddScreen+0x71) [0x42fdc1]
(EE) 7: Xephyr (ddxGiveUp+0x1409) [0x48f089]
(EE) 8: Xephyr (_init+0x3c4b) [0x4221fb]
(EE) 9: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x7f71dfc94b75]
(EE) 10: Xephyr (_start+0x29) [0x41ecc1]
(EE) 11: ? (?+0x29) [0x29]
(EE) 
(EE) Segmentation fault at address 0x18

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting

So, could you move the report to Xephyr?
Comment 8 Alphonse Steiner 2013-07-12 06:14:27 UTC 
Created attachment 772539 [details]
Fix the segfault

The weird point is that I cannot reproduce the segfault on a virtual machine, but it does happen on the main system.
I can fix it with this patch.
For sandbox, Xephyr does not recognise the resizeable option, and I have to remove it: I really bo not understand this point since it works in the VM. Is there something to do to enable it?
I am using the version 1.14.2-3 (+this patch), from the repository updates-testing.
Comment 9 Sergio Basto 2013-07-13 16:43:29 UTC 
from bug #984178  , this may be fixed, could you please test :

Package xorg-x11-server-1.14.2-4.fc19:
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xorg-x11-server-1.14.2-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12886/xorg-x11-server-1.14.2-4.fc19
then log in and leave karma (feedback).
Comment 10 Alphonse Steiner 2013-07-13 17:53:54 UTC 
Does not fix this bug. The Xephyr option -resizeable is still absent, and the patch is still required (segfault otherwise).
Comment 11 Sergio Basto 2013-07-13 21:45:11 UTC 
(In reply to Alphonse Steiner from comment #10)
> Does not fix this bug. The Xephyr option -resizeable is still absent, and
> the patch is still required (segfault otherwise).

In my point of view, we just should give negative karma when we have regressions, 
this release fixes many bugs and don't make any regression on yours, so you should change your vote, to get this update in stable soon. 
Your patch, will be analysed and hope that hit branch stable soon if really fix this bug (and others) .
Comment 12 Alphonse Steiner 2013-07-14 06:39:13 UTC 
Sorry, I am not really aware of this karma thing and was a little hasty I guess. It is true that I do not see any regressions and that it solves other bugs, so giving a bad karma is really harsh. I will change my vore.
Comment 13 Fedora Update System 2013-07-15 01:23:56 UTC 
xorg-x11-server-1.14.2-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/xorg-x11-server-1.14.2-5.fc19
Comment 14 Alphonse Steiner 2013-07-15 06:58:06 UTC 
Bug not fixed. The option is back in Xephyr, but the patch is still required (segfault otherwise).
Comment 15 Daniel Walsh 2013-07-15 18:25:10 UTC 
*** Bug 984684 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2013-07-16 01:23:35 UTC 
Package xorg-x11-server-1.14.2-5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xorg-x11-server-1.14.2-5.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12995/xorg-x11-server-1.14.2-5.fc19
then log in and leave karma (feedback).
Comment 17 Alphonse Steiner 2013-07-16 10:28:33 UTC 
Just to be sure, I rewrite it: this version does not fix the segfault. The path still work.
Comment 18 Dave Allan 2013-07-18 22:05:17 UTC 
xorg-x11-server-Xephyr-1.14.2-5.fc19 fixes sandbox -X for me.  Perhaps this is PBKAC, but the command referenced above:

yum update --enablerepo=updates-testing xorg-x11-server-1.14.2-5.fc19

failed with package not found.

To install the new Xephyr I used:

yum update --enablerepo=updates-testing xorg-x11-server-Xephyr-1.14.2-5.fc19
Comment 19 Sergio Basto 2013-07-18 22:22:58 UTC 
The correct command should be :

yum update --enablerepo=updates-testing xorg-x11-server\*-1.14.2-5.fc19


This is a bug on message of Fedora Update System, for this specific package .
Comment 20 Alphonse Steiner 2013-07-19 09:17:06 UTC 
As I said before, the "sandbox -X" part is fixed with 1.14.2-5 (the option is back).

However, I still have a segfault error when I start Xephyr (_alone_ or by sandbox -X). The bad point is that this segfault is not reproducible everywhere. I have it on the main system, but not on virtual ones. 

For information, it did not happened in FC17, and this version of FC19 is from a fresh install.
Comment 21 Daniel Walsh 2013-07-19 10:23:11 UTC 
Does it crash in permissive mode?
Comment 22 Alphonse Steiner 2013-07-19 18:46:22 UTC 
Yes it does. This problem is not related to selinux, but to Xephyr. The function 'XGetVisualInfo' returns a NULL pointer, leading to the segfault.
Comment 23 Fedora Update System 2013-07-20 09:44:49 UTC 
xorg-x11-server-1.14.2-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Sergio Basto 2013-07-23 00:45:26 UTC 
(In reply to Alphonse Steiner from comment #22)
> Yes it does. This problem is not related to selinux, but to Xephyr. The
> function 'XGetVisualInfo' returns a NULL pointer, leading to the segfault.

Hi, Alphonse Steiner, are you the author of the patch "Fix the segfault" ? 
if yes , is patch posted to the xorg-devel mailing list, for master ?