RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1663874 - [policycoreutils-python-utils] sandboxing of firefox is blocked by SELinux
Summary: [policycoreutils-python-utils] sandboxing of firefox is blocked by SELinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: noarch
OS: Linux
high
low
Target Milestone: rc
: 8.2
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1663921 (view as bug list)
Depends On: 1682526
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-07 09:22 UTC by Joachim Frieben
Modified: 2020-04-28 16:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:40:34 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Screenshot of crashed tab in Firefox (41.72 KB, image/png)
2019-11-24 11:13 UTC, Joachim Frieben 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1773 0 None None None 2020-04-28 16:40:49 UTC

Description Joachim Frieben 2019-01-07 09:22:57 UTC 
Description of problem:
Runing firefox in a sandbox using the command 'sandbox -t sandbox_web_t -s -X firefox' fails because of SELinux issues, namely:

    "SELinux is preventing firefox from sys_admin access on the cap_userns labeled sandbox_web_client_t."

and

    "SELinux is preventing /usr/bin/Xephyr from write access on the file 2F7661722F746D702F23313331303836202864656C6574656429."

Version-Release number of selected component (if applicable):
policycoreutils-python-utils-2.8-9.el8

How reproducible:
Always

Steps to Reproduce:
1. Execute 'sandbox -t sandbox_web_t -s -X firefox'.

Actual results:
Launch of sandboxed firefox aborts accompanied by SELinux alerts.

Expected results:
Launch of sandboxed firefox completes succesfully.

Additional info:
The last time I tried, this feature used to work in both of Fedora 28 and 29.
Comment 2 Lukas Vrabec 2019-01-07 10:09:36 UTC 
Adding info from duplicate bug: 

SELinux is preventing firefox from sys_admin access on the cap_userns labeled sandbox_web_client_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that firefox should be allowed sys_admin access on the Unknown cap_userns by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'firefox' --raw | audit2allow -M my-firefox
# semodule -X 300 -i my-firefox.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:sandbox_web_client_t:s0:
                              c433,c492
Target Context                unconfined_u:unconfined_r:sandbox_web_client_t:s0:
                              c433,c492
Target Objects                Unknown [ cap_userns ]
Source                        firefox
Source Path                   firefox
Port                          <Unknown>
Host                          riemann
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-46.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     riemann
Platform                      Linux riemann 4.18.0-32.el8.x86_64 #1 SMP Sat Oct
                              27 19:26:37 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2019-01-06 07:38:55 CET
Last Seen                     2019-01-06 07:38:55 CET
Local ID                      f9a8286e-3c63-4f64-9399-d633065e41d2

Raw Audit Messages
type=AVC msg=audit(1546756735.924:116): avc:  denied  { sys_admin } for  pid=3932 comm="firefox" capability=21  scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c433,c492 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c433,c492 tclass=cap_userns permissive=0


Hash: firefox,sandbox_web_client_t,sandbox_web_client_t,cap_userns,sys_admin
Comment 3 Lukas Vrabec 2019-01-07 10:09:41 UTC 
*** Bug 1663921 has been marked as a duplicate of this bug. ***
Comment 4 Joachim Frieben 2019-01-07 10:12:24 UTC 
SELinux issues reported as bug 1663876 and bug 1663921; therefore, this bug should be closed as a duplicate.
Comment 5 Milos Malik 2019-01-07 14:27:49 UTC 
# ausearch -m avc -m user_avc -i -ts recent | audit2allow

allow sandbox_web_client_t etc_t:file map;
allow sandbox_web_client_t lib_t:dir setattr;
allow sandbox_web_client_t lib_t:file execute_no_trans;
allow sandbox_web_client_t self:cap_userns sys_admin;
allow sandbox_web_client_t user_tmp_t:dir write;

----
type=PROCTITLE msg=audit(01/07/2019 15:12:24.867:848) : proctitle=/usr/lib64/firefox/firefox 
type=SYSCALL msg=audit(01/07/2019 15:12:24.867:848) : arch=x86_64 syscall=clone success=no exit=EPERM(Operation not permitted) a0=CLONE_NEWUSER|CLONE_NEWPID|SIGCHLD a1=0x0 a2=0x0 a3=0x0 items=0 ppid=13701 pid=13704 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=(none) ses=6 comm=firefox exe=/usr/lib64/firefox/firefox subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 key=(null) 
type=AVC msg=audit(01/07/2019 15:12:24.867:848) : avc:  denied  { sys_admin } for  pid=13704 comm=firefox capability=sys_admin  scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137 c157 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 tclass=cap_userns permissive=0 
----
type=PROCTITLE msg=audit(01/07/2019 15:12:30.520:849) : proctitle=/usr/lib64/firefox/firefox 
type=PATH msg=audit(01/07/2019 15:12:30.520:849) : item=0 name=/usr/lib/fontconfig/cache inode=16886200 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(01/07/2019 15:12:30.520:849) : cwd=/home/unconfined-user 
type=SYSCALL msg=audit(01/07/2019 15:12:30.520:849) : arch=x86_64 syscall=chmod success=no exit=EACCES(Permission denied) a0=0x7f32bbb36f80 a1=0755 a2=0xffffffffffffff58 a3=0x7f32e9b45dd7 items=1 ppid=13701 pid=13704 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=(none) ses=6 comm=firefox exe=/usr/lib64/firefox/firefox subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 key=(null) 
type=AVC msg=audit(01/07/2019 15:12:30.520:849) : avc:  denied  { setattr } for  pid=13704 comm=firefox name=cache dev="sda2" ino=16886200 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(01/07/2019 15:12:30.639:850) : proctitle=/usr/libexec/a
t-spi-bus-launcher 
type=PATH msg=audit(01/07/2019 15:12:30.639:850) : item=0 name=/run/user/1002/dconf/ inode=206636 dev=00:32 mode=dir,700 ouid=unconfined-user ogid=unconfined-user rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(01/07/2019 15:12:30.639:850) : cwd=/home/unconfined-user 
type=SYSCALL msg=audit(01/07/2019 15:12:30.639:850) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55fe7001fde0 a2=O_RDWR|O_CREAT a3=0x180 items=1 ppid=13896 pid=13897 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=(none) ses=6 comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 key=(null) 
type=AVC msg=audit(01/07/2019 15:12:30.639:850) : avc:  denied  { write } for  pid=13897 comm=at-spi-bus-laun name=dconf dev="tmpfs" ino=206636 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(01/07/2019 15:12:58.213:2124) : proctitle=/usr/lib64/firefox/firefox 
type=MMAP msg=audit(01/07/2019 15:12:58.213:2124) : fd=58 flags=MAP_PRIVATE 
type=SYSCALL msg=audit(01/07/2019 15:12:58.213:2124) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x27b a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=13701 pid=13704 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=(none) ses=6 comm=firefox exe=/usr/lib64/firefox/firefox subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 key=(null) 
type=AVC msg=audit(01/07/2019 15:12:58.213:2124) : avc:  denied  { map } for  pid=13704 comm=firefox path=/etc/dconf/db/distro dev="sda2" ino=17317079 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/07/2019 15:12:58.561:2126) : proctitle=/usr/lib64/firefox/firefox 
type=PATH msg=audit(01/07/2019 15:12:58.561:2126) : item=0 name=/usr/lib64/firefox/pingsender inode=9423817 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(01/07/2019 15:12:58.561:2126) : cwd=/home/unconfined-user 
type=SYSCALL msg=audit(01/07/2019 15:12:58.561:2126) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7f329a2a8a60 a1=0x7f329a2a8aa0 a2=0x7f32a49065f0 a3=0x7ffc7b8c6c16 items=1 ppid=13704 pid=14127 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=(none) ses=6 comm=firefox exe=/usr/lib64/firefox/firefox subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 key=(null) 
type=AVC msg=audit(01/07/2019 15:12:58.561:2126) : avc:  denied  { execute_no_trans } for  pid=14127 comm=firefox path=/usr/lib64/firefox/pingsender dev="sda2" ino=9423817 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c137,c157 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0 
----
Comment 20 Joachim Frieben 2019-11-24 11:13:31 UTC 
Created attachment 1639192 [details]
Screenshot of crashed tab in Firefox

SELinux is preventing /usr/lib64/firefox/firefox from sys_chroot access on the cap_userns labeled sandbox_web_client_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that firefox should be allowed sys_chroot access on cap_userns labeled sandbox_web_client_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:
# ausearch -c 'IPC Launch #1' --raw | audit2allow -M my-IPCLaunch1
# semodule -X 300 -i my-IPCLaunch1.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:sandbox_web_client_t:s0:
                              c93,c447
Target Context                unconfined_u:unconfined_r:sandbox_web_client_t:s0:
                              c93,c447
Target Objects                Unknown [ cap_userns ]
Source                        IPC Launch #1
Source Path                   /usr/lib64/firefox/firefox
Port                          <Unknown>
Host                          noname
Source RPM Packages           firefox-68.2.0-2.el8_0.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     noname
Platform                      Linux noname 4.18.0-147.0.3.el8_1.x86_64 #1 SMP
                              Mon Nov 11 12:58:36 UTC 2019 x86_64 x86_64
Alert Count                   5
First Seen                    2019-11-24 11:56:05 CET
Last Seen                     2019-11-24 11:56:18 CET
Local ID                      d18e5b79-9b09-487b-b4d8-91f87ec2bc82

Raw Audit Messages
type=AVC msg=audit(1574592978.348:271): avc:  denied  { sys_chroot } for  pid=30843 comm=495043204C61756E6368202331 capability=18  scontext=unconfined_u:uncon
fined_r:sandbox_web_client_t:s0:c93,c447 tcontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c93,c447 tclass=cap_userns permissive=0


type=SYSCALL msg=audit(1574592978.348:271): arch=x86_64 syscall=chroot success=no exit=EPERM a0=7fc68d1e0a83 a1=7fc66867853f a2=1 a3=7a items=0 ppid=30842 pid
=30843 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=IPC Launch #1 exe=/usr/lib64/firefox/firefox subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c93,c447 key=(null)

Hash: IPC Launch #1,sandbox_web_client_t,sandbox_web_client_t,cap_userns,sys_chroot
Comment 22 errata-xmlrpc 2020-04-28 16:40:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773
Note You need to log in before you can comment on or make changes to this bug.