*** Bug 1892423 has been marked as a duplicate of this bug. ***

(In reply to Timo Trinks from comment #0)
> 3. Attempt suggested workaround via "ausearch -c 'Xephyr' --raw |
> audit2allow -M my-Xephyr" and "semodule -X 300 -i my-Xephyr.pp" which does
> not mitigate the problem
Can you elaborate on this statement? Do you still see the same AVC denials, or others, or none?

Can you also, before reproducing again, set the system to selinux permissive mode and gather all denials?

# setenforce 0
<reproduce>
# setenforce 1
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

(In reply to Zdenek Pytela from comment #2)
> (In reply to Timo Trinks from comment #0)
> > 3. Attempt suggested workaround via "ausearch -c 'Xephyr' --raw |
> > audit2allow -M my-Xephyr" and "semodule -X 300 -i my-Xephyr.pp" which does
> > not mitigate the problem
> Can you elaborate on this statement? Do you still see the same AVC denials,
> or others, or none?

With that module enabled there's nothing - no AVC denials, nothing. But also no sandbox -X working...
I have completely removed and deleted the "my-Xephyr.pp" since it didn't have any effect...

> Can you also, before reproducing again, set the system to selinux permissive
> mode and gather all denials?
> 
> # setenforce 0
> <reproduce>
> # setenforce 1
> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

[XXXXXXX@XXXXXXX ~]# setenforce 0

[...]

[XXXXXXX@XXXXXXX:~()]$ getenforce
Permissive

[...]

[XXXXXXX@XXXXXXX:~()]$ strace sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox (some random strace output below, not sure whether it's useful)

[...]

openat(AT_FDCWD, "/proc/thread-self/attr/current", O_RDONLY|O_CLOEXEC) = 3
read(3, "unconfined_u:unconfined_r:unconf"..., 4095) = 54
close(3)                                = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
bind(3, {sa_family=AF_UNIX, sun_path=@"s0:c418,c757"}, 15) = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockname(3, {sa_family=AF_UNIX, sun_path=@"s0:c418,c757"}, [110->15]) = 0
getpeername(3, 0x7ffcd4a7b9b0, [110])   = -1 ENOTCONN (Transport endpoint is not connected)
close(3)                                = 0
openat(AT_FDCWD, "/proc/thread-self/attr/current", O_RDONLY|O_CLOEXEC) = 3
...
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 12
connect(12, {sa_family=AF_UNIX, sun_path="/run/user/1000/bus"}, 20) = 0
fcntl(12, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(12, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
geteuid()                               = 1000
getsockname(12, {sa_family=AF_UNIX}, [128->2]) = 0
poll([{fd=12, events=POLLOUT}], 1, 0)   = 1 ([{fd=12, revents=POLLOUT}])
sendto(12, "\0", 1, MSG_NOSIGNAL, NULL, 0) = 1
sendto(12, "AUTH EXTERNAL 31303030\r\n", 24, MSG_NOSIGNAL, NULL, 0) = 24
poll([{fd=12, events=POLLIN}], 1, -1)   = 1 ([{fd=12, revents=POLLIN}])
read(12, "OK 603104ccbd76256cb1211d529b7cc"..., 2048) = 37
poll([{fd=12, events=POLLOUT}], 1, -1)  = 1 ([{fd=12, revents=POLLOUT}])
sendto(12, "NEGOTIATE_UNIX_FD\r\n", 19, MSG_NOSIGNAL, NULL, 0) = 19
poll([{fd=12, events=POLLIN}], 1, -1)   = 1 ([{fd=12, revents=POLLIN}])
read(12, "AGREE_UNIX_FD\r\n", 2048)     = 15
poll([{fd=12, events=POLLOUT}], 1, -1)  = 1 ([{fd=12, revents=POLLOUT}])
sendto(12, "BEGIN\r\n", 7, MSG_NOSIGNAL, NULL, 0) = 7
poll([{fd=12, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=12, revents=POLLOUT}])
sendmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\0\0\0\0\1\0\0\0n\0\0\0\1\1o\0\25\0\0\0/org/fre"..., iov_len=128}, {iov_base="", iov_len=0}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 128
poll([{fd=12, events=POLLIN}], 1, 25000) = 1 ([{fd=12, revents=POLLIN}])
recvmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\2\1\1\v\0\0\0\377\377\377\377?\0\0\0\5\1u\0\1\0\0\0\7\1s\0\24\0\0\0"..., iov_len=2048}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 262
recvmsg(12, {msg_namelen=0}, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily unavailable)
sendmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\0\0\0\0\2\0\0\0[\0\0\0\1\1o\0\r\0\0\0/org/a11"..., iov_len=112}, {iov_base="", iov_len=0}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 112
poll([{fd=12, events=POLLIN}], 1, 25000) = 1 ([{fd=12, revents=POLLIN}])
recvmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\2\1\1\30\0\0\0%\0\0\0.\0\0\0\6\1s\0\6\0\0\0:1.136\0\0"..., iov_len=2048}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 88
recvmsg(12, {msg_namelen=0}, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily unavailable)

[...]

[XXXXXXX@XXXXXXX ~]# setenforce 1

[...]

[XXXXXXX@XXXXXXX ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=AVC msg=audit(11/06/2020 08:17:12.445:433) : avc:  denied  { name_connect } for  pid=10853 comm=Xephyr dest=6000 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c218,c960 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket permissive=1 
----
type=AVC msg=audit(11/06/2020 08:17:46.067:442) : avc:  denied  { name_connect } for  pid=11372 comm=Xephyr dest=6000 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c418,c757 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket permissive=1

Hi,

Thanks for the commands output. It is not clear form me though if in SELinux permissive mode the application works or not. If not, SELinux is not the only one blocking. 

If yes, it is possible some dontaudit rules are in place, there are a lot of them for sandbox. Please make another attempt with

# setenforce 0
# semodule -DB
<reproduce>
# semodule -B
# setenforce 1
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

I suppose no SELinux custom module is loaded any longer.

In strace, any syscall with EACCESS or EPERM may indicate SELinux blocking the access.

Hi Zdenek,

(In reply to Zdenek Pytela from comment #4)
> Hi,
> 
> Thanks for the commands output. It is not clear form me though if in SELinux
> permissive mode the application works or not. If not, SELinux is not the
> only one blocking.

As the AVC in the audit log (see my previous comment [1]) indicates, the 'strace sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox' was run in permissive mode ([...] tclass=tcp_socket permissive=1). I should've mentioned that - despite in permissive mode - there's still the "SELinux is preventing Xephyr from name_connect access on the tcp_socket port 6000." and no X application is started via sandbox... (so, TL;DR - sandbox -X does not work, regardless whether SELinux is in Enforcing or Permissive).

> If yes, it is possible some dontaudit rules are in place, there are a lot of
> them for sandbox. Please make another attempt with
> 
> # setenforce 0
> # semodule -DB
> <reproduce>
> # semodule -B
> # setenforce 1
> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

[XXXXXXX@XXXXXXX ~]# setenforce 0
[...]
[XXXXXXX@XXXXXXX ~]# semodule -DB
[...]
[XXXXXXX@XXXXXXX:~()]$ strace -o strace.txt sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox
[...]
[XXXXXXX@XXXXXXX ~]# semodule -B
[...]
[XXXXXXX@XXXXXXX ~]# setenforce 1
[...]
[XXXXXXX@XXXXXXX ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

----
type=AVC msg=audit(11/07/2020 11:53:48.511:393) : avc:  denied  { open } for  pid=17453 comm=sandboxX.sh path=/dev/pts/4 dev="devpts" ino=7 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(11/07/2020 11:53:48.514:394) : avc:  denied  { noatsecure } for  pid=17460 comm=sandboxX.sh scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tclass=process permissive=1 
----
type=AVC msg=audit(11/07/2020 11:53:48.515:395) : avc:  denied  { rlimitinh } for  pid=17460 comm=Xephyr scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tclass=process permissive=1 
----
type=AVC msg=audit(11/07/2020 11:53:48.515:396) : avc:  denied  { siginh } for  pid=17460 comm=Xephyr scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tclass=process permissive=1 
----
type=AVC msg=audit(11/07/2020 11:53:48.524:397) : avc:  denied  { name_connect } for  pid=17460 comm=Xephyr dest=6000 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket permissive=1 
----
type=AVC msg=audit(11/07/2020 11:53:52.045:400) : avc:  denied  { siginh } for  pid=17486 comm=SetroubleshootP scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 

Not sure whether the output above indicates some issues with Xephyr's source context...
 
> I suppose no SELinux custom module is loaded any longer.

Correct. See my previous comment [2]...:

>> I have completely removed and deleted the "my-Xephyr.pp" since it didn't have any effect...

So, yes. There are no SELinux custom modules loaded (and haven't been before this troubleshooting). SELinux has not been changed since upgrading from Fedora 32.
 Under Fedora 32 SELinux was not preventing Xephyr from name_connect access on the tcp_socket port 6000.
 
> In strace, any syscall with EACCESS or EPERM may indicate SELinux blocking the access.

Perhaps the below is of anny use...:

[XXXXXXX@XXXXXXX:~()]$ egrep -i 'EACCESS|EPERM|exit|sigchld' strace.txt 
rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
read(3, "= 0\n\n    sys.exit(rc)\n", 4096) = 22
read(3, "#\2\0\0\n\0\0\0\23\5\0\0\10\0\0\0sepermit\363\21\0\0@\5\0\0"..., 4096) = 4096
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fdee91d1a10) = 17451
wait4(17451, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 17451
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=17451, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fdee91d1a10) = 17452
wait4(17452, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 17452
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=17452, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
exit_group(0)                           = ?
+++ exited with 0 +++

Thanks,

Timo

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1892567#c0
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1892567#c3

@zpytela To make sure that this issue is not limited to my personal machine (or due to the fact that this machines was upgraded from F32 to F33) I have tested this issue on a vanilla F33 system - same issue, same SELinux alerts in relation to Xephyr...

So if I am correct, it is required both to connect to port 6000 and open /dev/pts terminal. I cannot reproduce the issue easily, but you can try to insert a custom module:

  # cat local_sandbox_x.cil
(allow sandbox_xserver_t xserver_port_t (tcp_socket (name_connect)))
(allow sandbox_web_t user_devpts_t (chr_file (open)))

  # semodule -i local_sandbox_x.cil

Then reproduce the scenario in SELinux enforcing mode, with dontaudit rules disabled again:

  # semodule -B
  # setenforce 1

To delete the module, run

  # semodule -d local_sandbox_x

It seems it is only opening which is not allowed:
# sesearch -A -s sandbox_web_t -t user_devpts_t -c chr_file 
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow sandbox_x_domain user_devpts_t:chr_file { append getattr ioctl lock read write };

so the policy author's goal apparently was to allow read/write inherited fds only.

I managed to find out the dontaudited rule:
commit e64870f73f62a73b50818a0d46793709fb2b0a3e
Author: Dan Walsh <dwalsh>
Date:   Thu Jun 20 14:29:34 2013 -0400

    Dontaudit sandbox apps attempting to open user_devpts_t

diff --git a/sandboxX.te b/sandboxX.te
index cb720ee45..03b518c06 100644
--- a/sandboxX.te
+++ b/sandboxX.te
@@ -463,3 +463,4 @@ optional_policy(`
         mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
        mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
 ')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)

So I updated the existing PR:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/374
which now waits for a review.

Also note it actually is the -r switch to remove a policy module:
  # semodule -r local_sandbox_x

FEDORA-2020-aff0be81b3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3

:+1: karma at https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3

FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-aff0be81b3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.