Description of problem: Up until recently, I could do sandbox -t sandbox_web_t -X firefox http://www.redhat.com/ just fine. Since applying updates a few days ago[1] I get $ sandbox -t sandbox_web_t -X firefox http://www.redhat.com/ Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted Version-Release number of selected component (if applicable): policycoreutils-python-2.2.5-3.fc20.x86_64 selinux-policy-3.12.1-153.fc20.noarch selinux-policy-targeted-3.12.1-153.fc20.noarch selinux-policy-devel-3.12.1-153.fc20.noarch selinux-policy-sandbox-3.12.1-153.fc20.noarch How reproducible: always Steps to Reproduce: 1. sandbox -t sandbox_web_t -X firefox http://www.redhat.com/ Actual results: Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted Expected results: sandboxed firefox opens and displays http://www.redhat.com/ Additional info: - I tried both without ~/.sandboxrc and with the file (as taken from comment #17 of bug 1017727) same result. - While, up to ~1 week ago, this worked fine; selinux-policy-sandbox was not installed. I installed that just now, no change. - $ sandbox id -Z unconfined_u:unconfined_r:sandbox_t:s0:c45,c520 - sandbox also fails in permissive mode - If I have a ~/.sandboxrc ( https://bugzilla.redhat.com/show_bug.cgi?id=1017727#c17 ) $ /usr/share/sandbox/sandboxX.sh does give me an empty window and, once I click into it (or press a key while that window has focus), an xterm. - $ Xephyr -displayfd 5 gives me an empty Xephyr window, as expected. - the failure is not limited to sandboxed firefox, this fails just the same $ /usr/bin/sandbox -X okular Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not permitted - firefox is the X app I most often run sandboxed (e.g. when receiving short URLs in an IRC channel) but opening PDF in a sandboxed okular is also a functionality I miss (that also worked previously, but it has been a while since I needed that on this machine) - # semodule -l | grep sand sandbox 1.0.0 sandboxX 1.0.0 [1] selinux-policy-targeted-3.12.1-153.fc20.noarch I am not sure if this worked with policycoreutils-2.2.5-3 or only the previous version. That update was applied a week before selinux-policy-targeted and I am not sure if I ran a sandboxed X app with policycoreutils-2.2.5-3 but the previous selinux-policy-targeted.
This is caused by a change to libcap-ng that is being reverted.
Thanks Dan! I've downgraded from libcap-ng-0.7.4-1.fc20 to libcap-ng-0.7.3-6.fc20 and sandbox works again as expected. Updating to libcap-ng-0.7.4-2.fc21 also solves this bug. I'll stay in the rawhide version for now.
I am unable to use sandbox with libcap-ng-0.7.4-1.fc19. Reverting to libcap-ng-utils-0.7.3-3.fc19 and sandbox works again!
After upgrading policycoreutils-sandbox, selinux-policy-targeted and selinux-policy from updates-testing and with libcap-ng-0.7.4-1.fc19 now I get denials: type=AVC msg=audit(1402857206.622:432): avc: denied { dyntransition } for pid=25527 comm="seunshare" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c468,c530 tclass=process
And this one (after allowing dyntransition): type=AVC msg=audit(1402857536.856:456): avc: denied { connectto } for pid=25703 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c267,c967 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket Allowing connectto for Xephyr finally make sandbox work again.
Still firefox does not work. Nice. :-(
For simplicity, I'm marking this as a duplicate. *** This bug has been marked as a duplicate of bug 1103622 ***