Description of problem: SELinux is preventing Xephyr from 'connectto' accesses on the unix_stream_socket 002F746D702F2E5831312D756E69782F5830. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that Xephyr should be allowed connectto access on the 002F746D702F2E5831312D756E69782F5830 unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:sandbox_x_t:s0:c287,c755 Target Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 Target Objects 002F746D702F2E5831312D756E69782F5830 [ unix_stream_socket ] Source Xephyr Source Path Xephyr Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-141.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.0-0.rc6.git0.2.fc23.x86_64 #1 SMP Wed Aug 12 21:39:36 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-08-28 19:24:32 CEST Last Seen 2015-08-28 19:24:32 CEST Local ID b33a9014-d15b-4cee-ba73-adf9035a6c01 Raw Audit Messages type=AVC msg=audit(1440782672.223:571): avc: denied { connectto } for pid=2553 comm="Xephyr" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c287,c755 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Hash: Xephyr,sandbox_x_t,xserver_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-3.13.1-141.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-0.rc6.git0.2.fc23.x86_64 type: libreport Potential duplicate: bug 1105652
Please update to the latest policies. We added fixes for sandbox. #============= sandbox_x_t ============== #!!!! This avc is allowed in the current policy allow sandbox_x_t xserver_t:unix_stream_socket connectto;