This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1281753 - Specifying the MLS/MCS Security Level to run an X based sandbox with, fails
Specifying the MLS/MCS Security Level to run an X based sandbox with, fails
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On: 1279006
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-13 06:47 EST by Miroslav Grepl
Modified: 2016-01-21 21:21 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-159.fc23 selinux-policy-3.13.1-158.2.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1279006
Environment:
Last Closed: 2016-01-21 21:21:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miroslav Grepl 2015-11-13 06:47:38 EST
+++ This bug was initially created as a clone of Bug #1279006 +++

Description of problem:
Trying to specify an mls/mcs security level to run an X based sandbox fails

Version-Release number of selected component (if applicable):
policycoreutils-python-utils-2.4-14.fc23.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Try to start and X based sandbox
2.
3.

Actual results:
sandbox -X -t sandbox_web_t -l s0:c455,c394 -H ~/firefox_home/ -T ~/firefox_tmp/ firefox
/usr/bin/sandbox:440: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded.
  from gi.repository import Gtk
grep: /home/user/.sandboxrc: Permission denied
mkdir: cannot create directory ‘/home/user’: Permission denied
/usr/share/sandbox/sandboxX.sh: line 10: /home/user/.config/openbox/rc.xml: Permission denied

audit msg

type=SELINUX_ERR msg=audit(1446866347.983:1067): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c394,c455 newcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c394,c455

Expected results:
The X based sandbox starts just as it would if the level was left to be random.

Additional info:

--- Additional comment from Miroslav Grepl on 2015-11-09 03:14:13 EST ---

Nice catch. 

It looks there is more issues and given MCS is not propagated. The mentioned AVC does not block it. There are another AVCs caused by this reproducer.
Comment 1 Lukas Vrabec 2015-12-08 08:49:32 EST
Mirek, do you have these AVCs? 

Thank you.
Comment 2 Miroslav Grepl 2015-12-11 03:33:06 EST
(In reply to Lukas Vrabec from comment #1)
> Mirek, do you have these AVCs? 
> 
> Thank you.

Just try to run

sandbox -X -t sandbox_web_t -l s0:c455,c394 -H ~/firefox_home/ -T ~/firefox_tmp/ firefox

and you will get them.
Comment 3 Miroslav Grepl 2015-12-20 06:56:43 EST
Together with policycoreutils-sandbox fixes and with

https://github.com/fedora-selinux/selinux-policy/commit/05ddb159c46c5eda87df6d4df35519b180d9bf17

we would have it working.
Comment 4 Fedora Update System 2016-01-14 08:16:08 EST
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 5 Fedora Update System 2016-01-15 13:54:03 EST
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 6 Fedora Update System 2016-01-21 21:21:06 EST
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.