Created attachment 2045938 [details] strace output Description of problem: Hi all, My PR was merged into Rawhide - https://github.com/fedora-selinux/selinux-policy/pull/2327 - (it shouldn't have trickled down to the Fedora release yet). I'm facing a strange issue: I'm not sure if this was in the dmesg output before: [ 268.323846] warning: `/usr/sbin/seunshare' has both setuid-root and effective capabilities. Therefore not raising all capabilities. In addition, 'sandbox -X firefox' outputs nothing. I've tried this on both an updated Rawhide VM and my Fedora Workstation. I couldn't find any AVCs either. What's happening here? Could you please take a look? Thanks, Krish Version-Release number of selected component (if applicable): Fedora 40 Workstation and Rawhide PS: Spoken with Dan, Lukas, Zdeněk, and Petr.
Works for me with selinux-policy-41.17-1.fc41.noarch I don't see any seunshare problem in logs Is it a fresh system? Do you see any changes in: # rpm -V policycoreutils-sandbox Would reinstall of sandbox help: # dnf reinstall policycoreutils-sandbox
Does it work in permissive mode? sudo setenforce 0; sandbox -X firefox
kjain@zephyr:~$ rpm -V policycoreutils-sandbox kjain@zephyr:~$ sudo dnf reinstall policycoreutils-sandbox [sudo] password for kjain: Fedora 40 - x86_64 - Updates 9.7 kB/s | 5.5 kB 00:00 Dependencies resolved. ======================================================================================================== Package Architecture Version Repository Size ======================================================================================================== Reinstalling: policycoreutils-sandbox x86_64 3.6-3.fc40 fedora 57 k Transaction Summary ======================================================================================================== Total download size: 57 k Installed size: 135 k Is this ok [y/N]: y Downloading Packages: policycoreutils-sandbox-3.6-3.fc40.x86_64.rpm 73 kB/s | 57 kB 00:00 -------------------------------------------------------------------------------------------------------- Total 58 kB/s | 57 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : policycoreutils-sandbox-3.6-3.fc40.x86_64 1/2 Cleanup : policycoreutils-sandbox-3.6-3.fc40.x86_64 2/2 Running scriptlet: policycoreutils-sandbox-3.6-3.fc40.x86_64 2/2 Reinstalled: policycoreutils-sandbox-3.6-3.fc40.x86_64 Complete! kjain@zephyr:~$ sandbox -X firefox kjain@zephyr:~$ Doesn't work with sudo setenforce 0; sandbox -X firefox. Dan Walsh already asked me in the email thread
Does it work on Rawhide with policycoreutils-3.7 ?
I did test on Rawhide a while back. Not sure what version of policycoreutils but it didn't work. Dan says this > I played with this a little and sandbox COMMAND seems to be working, but sandbox -X COMMAND is failing silenting. Nothing I saw in the strace to help me understand why. Someone needs to examine the sandbox tools to see why they are exiting. > The first command is just exiting. $ sandbox -X id -Z But if I drop the -X option, it works. $ sandbox id -Z unconfined_u:unconfined_r:sandbox_t:s0:c113,c922 Looks like an issue in seunshare.
To install policycoreutils-3.7 you can use my COPR repo: $ sudo dnf copr enable plautrba/selinux-fedora $ sudo dnf update policycoreutils-sandbox with this, `sandbox -X firefox` works in permissive. In order to make it run in enforcing, you would need the latest selinux-policy from rawhide.
Tested, I can confirm this works. Can you backport this to Fedora release (40)?
FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae
FEDORA-2024-29469eb8ae has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-29469eb8ae` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-29469eb8ae See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-29469eb8ae (checkpolicy-3.7-2.fc40, libselinux-3.7-5.fc40, and 5 more) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.