Description of problem: Looks like a regression from F25 (or F24, not quite sure). Version-Release number of selected component (if applicable): 2.6-5.fc26 How reproducible: Every time Steps to Reproduce: 1. run `sandbox -X -t sandbox_x_t evince /tmp/file.pdf` 2. Nested X Server window momentarily pops up 2. Fails, apparently due to a number of SELinux denials Actual results: Can't execute evince in X sandbox like I used to Expected results: Used to be able to use sandboxed evince for random PDFs Additional info: Two AVCs: SELinux is preventing evince from write access on the directory /run/user/1000. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that evince should be allowed write access on the 1000 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'evince' --raw | audit2allow -M my-evince # semodule -X 300 -i my-evince.pp Additional Information: Source Context unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 Target Context system_u:object_r:user_tmp_t:s0 Target Objects /run/user/1000 [ dir ] Source evince Source Path evince Port <Unknown> Host vimes Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vimes Platform Linux vimes 4.11.11-300.fc26.x86_64 #1 SMP Mon Jul 17 16:32:11 UTC 2017 x86_64 x86_64 Alert Count 6 First Seen 2017-07-23 11:26:57 PDT Last Seen 2017-07-23 11:26:58 PDT Local ID e9610547-cb4f-4010-97cc-196bb6b75ae1 Raw Audit Messages type=AVC msg=audit(1500834418.306:1418): avc: denied { write } for pid=24349 comm="xdg-desktop-por" name="/" dev="tmpfs" ino=35074 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 Hash: evince,sandbox_x_t,user_tmp_t,dir,write and: SELinux is preventing evince from read access on the lnk_file /var/lib/dbus/machine-id. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that evince should be allowed read access on the machine-id lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'evince' --raw | audit2allow -M my-evince # semodule -X 300 -i my-evince.pp Additional Information: Source Context unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 Target Context system_u:object_r:system_dbusd_var_lib_t:s0 Target Objects /var/lib/dbus/machine-id [ lnk_file ] Source evince Source Path evince Port <Unknown> Host vimes Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name vimes Platform Linux vimes 4.11.11-300.fc26.x86_64 #1 SMP Mon Jul 17 16:32:11 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-07-23 11:26:58 PDT Last Seen 2017-07-23 11:26:58 PDT Local ID 03107ff5-6e62-4322-9a8b-862ee82682b6 Raw Audit Messages type=AVC msg=audit(1500834418.358:1420): avc: denied { read } for pid=24300 comm="evince" name="machine-id" dev="dm-1" ino=12451917 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c483,c904 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0 Hash: evince,sandbox_x_t,system_dbusd_var_lib_t,lnk_file,read
It's related to Wayland. The same command works with X.org. When Wayland is used, there are file like '/run/user/1001/wayland-cursor-shared-2Xw77u' created, mapped and removed. And it's not allowed in the current policy. The following rules should allow 'sandbox -X' to run applications in Wayland in Fedora 26: allow sandbox_x_t user_tmp_t:dir { write add_name remove_name }; allow sandbox_x_t user_tmp_t:file { map create unlink }; allow sandbox_x_t sandbox_x_client_tmpfs_t:file { map }; In Fedora 27 we support nnp_transition therefore we can use them: allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition; allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition; allow sandbox_x_client_t user_tmp_t:dir { write add_name remove_name }; allow sandbox_x_client_t user_tmp_t:file { map create unlink }; allow sandbox_x_client_t sandbox_x_client_tmpfs_t:file { map }; Note, I need to do more investigation around Wayland and how to use it and investigate a possible impact of the rules above. For now you can either switch to X.org or use the rules in a local temporary policy.
Just updating to F27 (still reproduces)
*** Bug 1528783 has been marked as a duplicate of this bug. ***
commit a8e9d06aa170c2f490aa03539f5540a268275dc6 (HEAD -> f27, origin/f27) Author: Lukas Vrabec <lvrabec> Date: Wed Jan 3 17:57:23 2018 +0100 Make working SELinux sandbox with Wayland. BZ(1474082)
selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
X apps work as expected but I'm afraid that PulseAudio is broken still.
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Still fails for me. grep denied /var/log/audit/audit.log | audit2allow | less #============= sandbox_x_client_t ============== allow sandbox_x_client_t cert_t:file map; #!!!! This avc can be allowed using the boolean 'nis_enabled' allow sandbox_x_client_t http_port_t:tcp_socket name_connect; allow sandbox_x_client_t lib_t:dir setattr; allow sandbox_x_client_t system_dbusd_var_lib_t:lnk_file { getattr read }; allow sandbox_x_client_t systemd_logind_var_run_t:file read; #============= sshd_t ============== allow sshd_t init_t:dbus send_msg; #============= systemd_logind_t ============== allow systemd_logind_t sandbox_xserver_t:shm destroy;