Description of problem: After upgrading from Fedora 36 to Fedora 37 (via dnf system-upgrade download --refresh --releasever=37) sandbox -X (e.g. sandbox -X firefox) stopped working under Wayland (XDG_SESSION_TYPE=wayland). It does work under X11, though, so this issue is Wayland-specific. Also, for the record, sandbox -X is working fine under wayland on Fedora 36. Version-Release number of selected component (if applicable): policycoreutils-3.4-6.fc37.x86_64 How reproducible: Always. Steps to Reproduce: 1. Boot Fedora 37, log in with Wayland session 2. Execute sandbox -X (e.g. sandbox -X firefox) 3. Nothing happens, no AVCs, etc. Actual results: Fail. Nothing happens, no AVCs, etc. Expected results: sandbox -X firefox launches a sandboxed Firefox. Additional info: I can attach an strace output if it helps.
Something has changed in respect of X server access control. It works `xhost +` is run before `sandbox -X firefox`
Hi Petr! I can confirm that a `xhost +SI:localuser:<username>` addresses this under Wayland on Fedora 37 - thank you very much! Cheers, Timo
It seems to be related to this change https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2633 and therefore only authorized X clients can connect. Other compositors like sway or wayfire still use "SI:localuser:<username>" and are not affected. I guess that we would need to propagate .Xauthority file into unshared sandbox environment. In the mean time I suggest to use the workaround mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2149142#c2 xhost +SI:localuser:<username>
Hello Petr! Thanks for having another look. As per my previous comment the proposed workaround (xhost +SI:localuser:<username>) works (on Wayland) and I have been using it ever since. A more pressing issue is that audio has stopped working in SELinux sandboxed (via /usr/bin/sandbox) applications [1]. This experience is not isolated to me and has been reported by other users (see details in Bugzilla 2215499 [1]). Not sure whether this is more of a sandbox <-> dbus <-> selinux issue, perhaps you have an idea... Cheers, Timo [1] https://bugzilla.redhat.com/show_bug.cgi?id=2215499
This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
I'm working on support for XWayland in sandbox when it's run in Wayland session. The development branch is https://github.com/bachradsusi/selinux/tree/XWayland You can test it using rpms from my https://copr.fedorainfracloud.org/coprs/plautrba/sandbox-wayland/ COPR repository. In my environment improved sandbox -X works without `xhost` and audio works as expected. It requires Rawhide selinux-policy package and this small local SELinux module: module sandbox-wayland 1.0; require { type sandbox_xserver_tmpfs_t; type sysctl_dev_t; type sandbox_xserver_t; type sandbox_web_client_t; type dri_device_t; class file { getattr map open read write }; class dir search; class chr_file { read write }; } #============= sandbox_xserver_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow sandbox_xserver_t sandbox_xserver_tmpfs_t:file map; allow sandbox_xserver_t sysctl_dev_t:dir search; allow sandbox_xserver_t sysctl_dev_t:file { getattr open read }; allow sandbox_web_client_t dri_device_t:chr_file { read write }; allow sandbox_web_client_t sandbox_xserver_tmpfs_t:file { read write }; It would be great if you tested it and provide me feedback how it works for you.
This message is a reminder that Fedora Linux 38 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 38 on 2024-05-21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '38'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 38 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae
FEDORA-2024-29469eb8ae has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-29469eb8ae` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
(In reply to Petr Lautrbach from comment #6) > I'm working on support for XWayland in sandbox when it's run in Wayland > session. > > The development branch is > https://github.com/bachradsusi/selinux/tree/XWayland > You can test it using rpms from my > https://copr.fedorainfracloud.org/coprs/plautrba/sandbox-wayland/ COPR > repository. > > In my environment improved sandbox -X works without `xhost` and audio works > as expected. > > It requires Rawhide selinux-policy package and this small local SELinux > module: > > > module sandbox-wayland 1.0; > > require { > type sandbox_xserver_tmpfs_t; > type sysctl_dev_t; > type sandbox_xserver_t; > type sandbox_web_client_t; > type dri_device_t; > class file { getattr map open read write }; > class dir search; > class chr_file { read write }; > } > > #============= sandbox_xserver_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' > allow sandbox_xserver_t sandbox_xserver_tmpfs_t:file map; > allow sandbox_xserver_t sysctl_dev_t:dir search; > allow sandbox_xserver_t sysctl_dev_t:file { getattr open read }; > > allow sandbox_web_client_t dri_device_t:chr_file { read write }; > allow sandbox_web_client_t sandbox_xserver_tmpfs_t:file { read write }; > > > > It would be great if you tested it and provide me feedback how it works for > you. Sorry, @plautrba - I only saw this now (too busy with other stuff). This is great!! - any chance to get this into the official Fedora repos asap?
FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.