Description of problem: After upgrading to Fedora 33 from Fedora 32, running sandboxed X applications via "sandbox -X" no longer works and fails with a "SELinux is preventing Xephyr from name_connect access on the tcp_socket port 6000." error. The system has been re-labeled via .autorelabel and fixfiles. Version-Release number of selected component (if applicable): - selinux-policy-targeted-3.14.6-29.fc33.noarch - policycoreutils-sandbox-3.1-4.fc33.x86_64 (sandbox) - xorg-x11-server-Xephyr-1.20.9-1.fc33.x86_64 (Xephyr) How reproducible: Always Steps to Reproduce: 1. Run "sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox" which fails 2. Check "SETroubleshoot Details Window" for "SELinux is preventing Xephyr from name_connect access on the tcp_socket port 6000." 3. Attempt suggested workaround via "ausearch -c 'Xephyr' --raw | audit2allow -M my-Xephyr" and "semodule -X 300 -i my-Xephyr.pp" which does not mitigate the problem Actual results: Fail. type=AVC msg=audit(1603956583.458:365): avc: denied { name_connect } for pid=9529 comm="Xephyr" dest=6000 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c399,c464 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket permissive=0 Expected results: Run "sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox" (and any other sandboxed X application successfully like on Fedora 32). Additional info: [xxxxxx@xxxxxx:~()]$ fixfiles check Checking / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /home/virt /run /run/user/1000 /run/user/1002 /sys /sys/fs/cgroup /sys/fs/pstore /sys/kernel/debug /sys/kernel/debug/tracing /sys/kernel/tracing /tmp /usr /var Warning no default label for /dev/mqueue Warning no default label for /sys/kernel/debug/tracing
*** Bug 1892423 has been marked as a duplicate of this bug. ***
(In reply to Timo Trinks from comment #0) > 3. Attempt suggested workaround via "ausearch -c 'Xephyr' --raw | > audit2allow -M my-Xephyr" and "semodule -X 300 -i my-Xephyr.pp" which does > not mitigate the problem Can you elaborate on this statement? Do you still see the same AVC denials, or others, or none? Can you also, before reproducing again, set the system to selinux permissive mode and gather all denials? # setenforce 0 <reproduce> # setenforce 1 # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
(In reply to Zdenek Pytela from comment #2) > (In reply to Timo Trinks from comment #0) > > 3. Attempt suggested workaround via "ausearch -c 'Xephyr' --raw | > > audit2allow -M my-Xephyr" and "semodule -X 300 -i my-Xephyr.pp" which does > > not mitigate the problem > Can you elaborate on this statement? Do you still see the same AVC denials, > or others, or none? With that module enabled there's nothing - no AVC denials, nothing. But also no sandbox -X working... I have completely removed and deleted the "my-Xephyr.pp" since it didn't have any effect... > Can you also, before reproducing again, set the system to selinux permissive > mode and gather all denials? > > # setenforce 0 > <reproduce> > # setenforce 1 > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent [XXXXXXX@XXXXXXX ~]# setenforce 0 [...] [XXXXXXX@XXXXXXX:~()]$ getenforce Permissive [...] [XXXXXXX@XXXXXXX:~()]$ strace sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox (some random strace output below, not sure whether it's useful) [...] openat(AT_FDCWD, "/proc/thread-self/attr/current", O_RDONLY|O_CLOEXEC) = 3 read(3, "unconfined_u:unconfined_r:unconf"..., 4095) = 54 close(3) = 0 socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 bind(3, {sa_family=AF_UNIX, sun_path=@"s0:c418,c757"}, 15) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 getsockname(3, {sa_family=AF_UNIX, sun_path=@"s0:c418,c757"}, [110->15]) = 0 getpeername(3, 0x7ffcd4a7b9b0, [110]) = -1 ENOTCONN (Transport endpoint is not connected) close(3) = 0 openat(AT_FDCWD, "/proc/thread-self/attr/current", O_RDONLY|O_CLOEXEC) = 3 ... socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 12 connect(12, {sa_family=AF_UNIX, sun_path="/run/user/1000/bus"}, 20) = 0 fcntl(12, F_GETFL) = 0x2 (flags O_RDWR) fcntl(12, F_SETFL, O_RDWR|O_NONBLOCK) = 0 geteuid() = 1000 getsockname(12, {sa_family=AF_UNIX}, [128->2]) = 0 poll([{fd=12, events=POLLOUT}], 1, 0) = 1 ([{fd=12, revents=POLLOUT}]) sendto(12, "\0", 1, MSG_NOSIGNAL, NULL, 0) = 1 sendto(12, "AUTH EXTERNAL 31303030\r\n", 24, MSG_NOSIGNAL, NULL, 0) = 24 poll([{fd=12, events=POLLIN}], 1, -1) = 1 ([{fd=12, revents=POLLIN}]) read(12, "OK 603104ccbd76256cb1211d529b7cc"..., 2048) = 37 poll([{fd=12, events=POLLOUT}], 1, -1) = 1 ([{fd=12, revents=POLLOUT}]) sendto(12, "NEGOTIATE_UNIX_FD\r\n", 19, MSG_NOSIGNAL, NULL, 0) = 19 poll([{fd=12, events=POLLIN}], 1, -1) = 1 ([{fd=12, revents=POLLIN}]) read(12, "AGREE_UNIX_FD\r\n", 2048) = 15 poll([{fd=12, events=POLLOUT}], 1, -1) = 1 ([{fd=12, revents=POLLOUT}]) sendto(12, "BEGIN\r\n", 7, MSG_NOSIGNAL, NULL, 0) = 7 poll([{fd=12, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=12, revents=POLLOUT}]) sendmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\0\0\0\0\1\0\0\0n\0\0\0\1\1o\0\25\0\0\0/org/fre"..., iov_len=128}, {iov_base="", iov_len=0}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 128 poll([{fd=12, events=POLLIN}], 1, 25000) = 1 ([{fd=12, revents=POLLIN}]) recvmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\2\1\1\v\0\0\0\377\377\377\377?\0\0\0\5\1u\0\1\0\0\0\7\1s\0\24\0\0\0"..., iov_len=2048}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 262 recvmsg(12, {msg_namelen=0}, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily unavailable) sendmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\0\0\0\0\2\0\0\0[\0\0\0\1\1o\0\r\0\0\0/org/a11"..., iov_len=112}, {iov_base="", iov_len=0}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 112 poll([{fd=12, events=POLLIN}], 1, 25000) = 1 ([{fd=12, revents=POLLIN}]) recvmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\2\1\1\30\0\0\0%\0\0\0.\0\0\0\6\1s\0\6\0\0\0:1.136\0\0"..., iov_len=2048}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 88 recvmsg(12, {msg_namelen=0}, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily unavailable) [...] [XXXXXXX@XXXXXXX ~]# setenforce 1 [...] [XXXXXXX@XXXXXXX ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent ---- type=AVC msg=audit(11/06/2020 08:17:12.445:433) : avc: denied { name_connect } for pid=10853 comm=Xephyr dest=6000 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c218,c960 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(11/06/2020 08:17:46.067:442) : avc: denied { name_connect } for pid=11372 comm=Xephyr dest=6000 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c418,c757 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket permissive=1
Hi, Thanks for the commands output. It is not clear form me though if in SELinux permissive mode the application works or not. If not, SELinux is not the only one blocking. If yes, it is possible some dontaudit rules are in place, there are a lot of them for sandbox. Please make another attempt with # setenforce 0 # semodule -DB <reproduce> # semodule -B # setenforce 1 # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent I suppose no SELinux custom module is loaded any longer. In strace, any syscall with EACCESS or EPERM may indicate SELinux blocking the access.
Hi Zdenek, (In reply to Zdenek Pytela from comment #4) > Hi, > > Thanks for the commands output. It is not clear form me though if in SELinux > permissive mode the application works or not. If not, SELinux is not the > only one blocking. As the AVC in the audit log (see my previous comment [1]) indicates, the 'strace sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox' was run in permissive mode ([...] tclass=tcp_socket permissive=1). I should've mentioned that - despite in permissive mode - there's still the "SELinux is preventing Xephyr from name_connect access on the tcp_socket port 6000." and no X application is started via sandbox... (so, TL;DR - sandbox -X does not work, regardless whether SELinux is in Enforcing or Permissive). > If yes, it is possible some dontaudit rules are in place, there are a lot of > them for sandbox. Please make another attempt with > > # setenforce 0 > # semodule -DB > <reproduce> > # semodule -B > # setenforce 1 > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent [XXXXXXX@XXXXXXX ~]# setenforce 0 [...] [XXXXXXX@XXXXXXX ~]# semodule -DB [...] [XXXXXXX@XXXXXXX:~()]$ strace -o strace.txt sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox [...] [XXXXXXX@XXXXXXX ~]# semodule -B [...] [XXXXXXX@XXXXXXX ~]# setenforce 1 [...] [XXXXXXX@XXXXXXX ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent ---- type=AVC msg=audit(11/07/2020 11:53:48.511:393) : avc: denied { open } for pid=17453 comm=sandboxX.sh path=/dev/pts/4 dev="devpts" ino=7 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 ---- type=AVC msg=audit(11/07/2020 11:53:48.514:394) : avc: denied { noatsecure } for pid=17460 comm=sandboxX.sh scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tclass=process permissive=1 ---- type=AVC msg=audit(11/07/2020 11:53:48.515:395) : avc: denied { rlimitinh } for pid=17460 comm=Xephyr scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tclass=process permissive=1 ---- type=AVC msg=audit(11/07/2020 11:53:48.515:396) : avc: denied { siginh } for pid=17460 comm=Xephyr scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c209,c404 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tclass=process permissive=1 ---- type=AVC msg=audit(11/07/2020 11:53:48.524:397) : avc: denied { name_connect } for pid=17460 comm=Xephyr dest=6000 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c209,c404 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(11/07/2020 11:53:52.045:400) : avc: denied { siginh } for pid=17486 comm=SetroubleshootP scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 Not sure whether the output above indicates some issues with Xephyr's source context... > I suppose no SELinux custom module is loaded any longer. Correct. See my previous comment [2]...: >> I have completely removed and deleted the "my-Xephyr.pp" since it didn't have any effect... So, yes. There are no SELinux custom modules loaded (and haven't been before this troubleshooting). SELinux has not been changed since upgrading from Fedora 32. Under Fedora 32 SELinux was not preventing Xephyr from name_connect access on the tcp_socket port 6000. > In strace, any syscall with EACCESS or EPERM may indicate SELinux blocking the access. Perhaps the below is of anny use...: [XXXXXXX@XXXXXXX:~()]$ egrep -i 'EACCESS|EPERM|exit|sigchld' strace.txt rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0 read(3, "= 0\n\n sys.exit(rc)\n", 4096) = 22 read(3, "#\2\0\0\n\0\0\0\23\5\0\0\10\0\0\0sepermit\363\21\0\0@\5\0\0"..., 4096) = 4096 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fdee91d1a10) = 17451 wait4(17451, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 17451 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=17451, si_uid=1000, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fdee91d1a10) = 17452 wait4(17452, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 17452 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=17452, si_uid=1000, si_status=0, si_utime=0, si_stime=0} --- exit_group(0) = ? +++ exited with 0 +++ Thanks, Timo [1] https://bugzilla.redhat.com/show_bug.cgi?id=1892567#c0 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1892567#c3
@zpytela To make sure that this issue is not limited to my personal machine (or due to the fact that this machines was upgraded from F32 to F33) I have tested this issue on a vanilla F33 system - same issue, same SELinux alerts in relation to Xephyr...
So if I am correct, it is required both to connect to port 6000 and open /dev/pts terminal. I cannot reproduce the issue easily, but you can try to insert a custom module: # cat local_sandbox_x.cil (allow sandbox_xserver_t xserver_port_t (tcp_socket (name_connect))) (allow sandbox_web_t user_devpts_t (chr_file (open))) # semodule -i local_sandbox_x.cil Then reproduce the scenario in SELinux enforcing mode, with dontaudit rules disabled again: # semodule -B # setenforce 1 To delete the module, run # semodule -d local_sandbox_x It seems it is only opening which is not allowed: # sesearch -A -s sandbox_web_t -t user_devpts_t -c chr_file allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow sandbox_x_domain user_devpts_t:chr_file { append getattr ioctl lock read write }; so the policy author's goal apparently was to allow read/write inherited fds only. I managed to find out the dontaudited rule: commit e64870f73f62a73b50818a0d46793709fb2b0a3e Author: Dan Walsh <dwalsh> Date: Thu Jun 20 14:29:34 2013 -0400 Dontaudit sandbox apps attempting to open user_devpts_t diff --git a/sandboxX.te b/sandboxX.te index cb720ee45..03b518c06 100644 --- a/sandboxX.te +++ b/sandboxX.te @@ -463,3 +463,4 @@ optional_policy(` mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) mozilla_plugin_dontaudit_leaks(sandbox_x_domain) ') +userdom_dontaudit_open_user_ptys(sandbox_x_domain)
So I updated the existing PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/374 which now waits for a review. Also note it actually is the -r switch to remove a policy module: # semodule -r local_sandbox_x
FEDORA-2020-aff0be81b3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3
:+1: karma at https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3
FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-aff0be81b3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.