Bug 1279006 - Specifying the MLS/MCS Security Level to run an X based sandbox with, fails
Summary: Specifying the MLS/MCS Security Level to run an X based sandbox with, fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1281753
TreeView+ depends on / blocked
 
Reported: 2015-11-07 03:29 UTC by sorasl
Modified: 2015-11-22 02:23 UTC (History)
3 users (show)

Fixed In Version: policycoreutils-2.4-17.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1281753 (view as bug list)
Environment:
Last Closed: 2015-11-22 02:23:15 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description sorasl 2015-11-07 03:29:52 UTC
Description of problem:
Trying to specify an mls/mcs security level to run an X based sandbox fails

Version-Release number of selected component (if applicable):
policycoreutils-python-utils-2.4-14.fc23.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Try to start and X based sandbox
2.
3.

Actual results:
sandbox -X -t sandbox_web_t -l s0:c455,c394 -H ~/firefox_home/ -T ~/firefox_tmp/ firefox
/usr/bin/sandbox:440: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded.
  from gi.repository import Gtk
grep: /home/user/.sandboxrc: Permission denied
mkdir: cannot create directory ‘/home/user’: Permission denied
/usr/share/sandbox/sandboxX.sh: line 10: /home/user/.config/openbox/rc.xml: Permission denied

audit msg

type=SELINUX_ERR msg=audit(1446866347.983:1067): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c394,c455 newcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c394,c455

Expected results:
The X based sandbox starts just as it would if the level was left to be random.

Additional info:

Comment 1 Miroslav Grepl 2015-11-09 08:14:13 UTC
Nice catch. 

It looks there is more issues and given MCS is not propagated. The mentioned AVC does not block it. There are another AVCs caused by this reproducer.

Comment 2 Fedora Update System 2015-11-18 16:51:28 UTC
policycoreutils-2.4-17.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update policycoreutils'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-2d1eee0eb5

Comment 3 Fedora Update System 2015-11-22 02:23:09 UTC
policycoreutils-2.4-17.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.