Description of problem: After upgrading to "selinux-policy-sandbox-34.11-1.fc34.noarch" on Fedora 34 running Firefox in sandbox now fails with: <snip> [user@host:~()]$ sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox dbus[13634]: Unable to set up transient service directory: Failed to create directory /run/user/1000/dbus-1: Permission denied dbus-daemon[13634]: Cannot setup inotify for '/usr/share/dbus-1/session.d'; error 'Permission denied' /usr/bin/firefox: line 196: getenforce: command not found /usr/bin/firefox: line 196: [: !=: unary operator expected Unable to init server: Could not connect: Connection refused Error: cannot open display: :2 <snap> Version-Release number of selected component (if applicable): Version: 34.12 Release: 1.fc34 How reproducible: Always Steps to Reproduce: 1. run "sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox" on Fedora 34 with selinux-policy-sandbox-34.12-1.fc34.noarch installed 2. 3. Actual results: <snip> [user@host:~()]$ sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox dbus[13634]: Unable to set up transient service directory: Failed to create directory /run/user/1000/dbus-1: Permission denied dbus-daemon[13634]: Cannot setup inotify for '/usr/share/dbus-1/session.d'; error 'Permission denied' /usr/bin/firefox: line 196: getenforce: command not found /usr/bin/firefox: line 196: [: !=: unary operator expected Unable to init server: Could not connect: Connection refused Error: cannot open display: :2 <snap> Expected results: Be able to run Firefox via SELinux Sandbox. Additional info:
To add to this: After downgrading to selinux-policy-sandbox-34-1.fc34.noarch and relabelling the file system via /.autorelabel "sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox" works (again).
@zpytela - This appears to be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1960382 The following two temporary setsebools make running X applications via sandbox work again for me (tested with selinux-policy-sandbox-34.13-1.fc34.noarch): - setsebool -P domain_can_mmap_files 1 - setsebool -P xserver_clients_write_xshm 1 After that "sandbox -X -t sandbox_net_t -t sandbox_web_t -w 1280x1024 firefox" would start a sandboxed Firefox again and not throw the errors listed above.
Hi Timo, I created PR to our policy with new rules: https://github.com/fedora-selinux/selinux-policy/pull/972 Also these booleans have to be enabled: - setsebool -P use_fusefs_home_dirs 1 - setsebool -P xserver_clients_write_xshm 1 Nikola
*** Bug 1960382 has been marked as a duplicate of this bug. ***
PR merged, backporting to F34.
FEDORA-2022-8e1e2c866c has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8e1e2c866c
FEDORA-2022-8e1e2c866c has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-8e1e2c866c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8e1e2c866c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-8e1e2c866c has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to nknazeko from comment #3) > Hi Timo, > > I created PR to our policy with new rules: > https://github.com/fedora-selinux/selinux-policy/pull/972 > > Also these booleans have to be enabled: > > - setsebool -P use_fusefs_home_dirs 1 > - setsebool -P xserver_clients_write_xshm 1 > > > Nikola Thank you, Nikola, much appreciated! Cheers, Timo