Created attachment 475663 [details] strace output Description of problem: After doing a system update today, sandboxes (at least for sandbox_web_t) don't start. A window shows up and immediately closes. There is no security alert. I'm attaching the strace output. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.9.7-25.fc14.noarch
Are you seeing any AVC message? Does sandbox -X xterm work?
$ sandbox -X xterm Failed to start message bus: Failed to open "/etc/selinux/targeted/contexts/dbus_contexts": Permission denied EOF in dbus-launch reading address from bus daemon Hangup I see the following in /var/log/messages: Jan 28 08:19:14 amit-x200 setroubleshoot: [root.ERROR] Could not open log file (/var/log/setroubleshoot/setroubleshootd.log) - using stderr Jan 28 08:19:14 amit-x200 setroubleshoot: [Errno 13] Permission denied: '/var/run/setroubleshootd.pid' Jan 28 08:15:26 amit-x200 setroubleshoot: [dbus.proxies.ERROR] Introspect error on :1.48:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: o rg.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus) Jan 28 08:15:26 amit-x200 setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.ServiceUnknown: The name :1.48 was not provided by an y .service files Jan 28 08:15:31 amit-x200 dbus: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.63" (uid=500 pid=1884 comm="nautilus) interfa ce="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply=0 destination=":1.14" (uid=0 pid=1540 comm="/usr/sbin/console-kit-d aemon)) A bunch of messages from earlier: Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from open access on the file /etc/resolv.co nf. For complete SELinux messages. run sealert -l baac3351-b971-4570-ad7f-3826e3ba964d Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from open access on the file /etc/hosts. Fo r complete SELinux messages. run sealert -l baac3351-b971-4570-ad7f-3826e3ba964d Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the udp_socket port N one. For complete SELinux messages. run sealert -l 845ff1a9-f82a-42cc-86b6-ebd1a9d39249 Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the netlink_route_soc ket Unknown. For complete SELinux messages. run sealert -l 3ff75947-5394-4137-a7a3-03a1c89afe34 Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from open access on the file /etc/hosts. Fo r complete SELinux messages. run sealert -l baac3351-b971-4570-ad7f-3826e3ba964d Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the udp_socket port N one. For complete SELinux messages. run sealert -l 845ff1a9-f82a-42cc-86b6-ebd1a9d39249 Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the netlink_route_soc ket Unknown. For complete SELinux messages. run sealert -l 3ff75947-5394-4137-a7a3-03a1c89afe34 Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from open access on the file /etc/hosts. Fo r complete SELinux messages. run sealert -l baac3351-b971-4570-ad7f-3826e3ba964d Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the udp_socket port N one. For complete SELinux messages. run sealert -l 845ff1a9-f82a-42cc-86b6-ebd1a9d39249 Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from connectto access on the unix_stream_so cket @/tmp/.X11-unix/X0. For complete SELinux messages. run sealert -l 3caf736b-9ca7-43b0-9732-ea58f4053b70 Jan 27 23:49:37 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the netlink_route_soc ket Unknown. For complete SELinux messages. run sealert -l 3ff75947-5394-4137-a7a3-03a1c89afe34 Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from open access on the file /etc/hosts. Fo r complete SELinux messages. run sealert -l baac3351-b971-4570-ad7f-3826e3ba964d Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the udp_socket port N one. For complete SELinux messages. run sealert -l 845ff1a9-f82a-42cc-86b6-ebd1a9d39249 Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the netlink_route_soc ket Unknown. For complete SELinux messages. run sealert -l 3ff75947-5394-4137-a7a3-03a1c89afe34 Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from open access on the file /etc/hosts. Fo r complete SELinux messages. run sealert -l baac3351-b971-4570-ad7f-3826e3ba964d Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the udp_socket port N one. For complete SELinux messages. run sealert -l 845ff1a9-f82a-42cc-86b6-ebd1a9d39249 Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the netlink_route_soc ket Unknown. For complete SELinux messages. run sealert -l 3ff75947-5394-4137-a7a3-03a1c89afe34 Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from open access on the file /etc/hosts. Fo r complete SELinux messages. run sealert -l baac3351-b971-4570-ad7f-3826e3ba964d Jan 27 23:49:38 amit-x200 setroubleshoot: SELinux is preventing /usr/lib64/xulrunner-1.9.2/mozilla-xremote-client from create access on the udp_socket port N one. For complete SELinux messages. run sealert -l 845ff1a9-f82a-42cc-86b6-ebd1a9d39249 On clicking the desktop sealert icon, I didn't get any window, but on manually running sealert, I get some AVCs. Pasting one of them (all of these correspond to the times above in /var/log/messages for firefox). SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from using the setgid capability. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that plugin-config should have the setgid capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-config /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:sandbox_t:s0:c42,c409 Target Context unconfined_u:unconfined_r:sandbox_t:s0:c42,c409 Target Objects Unknown [ capability ] Source plugin-config Source Path /usr/lib64/nspluginwrapper/plugin-config Port <Unknown> Host amit-x200.redhat.com Source RPM Packages nspluginwrapper-1.3.0-15.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-25.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name amit-x200.redhat.com Platform Linux amit-x200.redhat.com 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Thu 27 Jan 2011 11:49:31 PM IST Last Seen Thu 27 Jan 2011 11:49:33 PM IST Local ID 147a2e16-42b4-48a8-af8c-f04ce085aa08 Raw Audit Messages type=AVC msg=audit(1296152373.153:88): avc: denied { setgid } for pid=4316 comm="plugin-config" capability=6 scontext=unconfined_u:unconfined_r:sandbox_t:s0:c42,c409 tcontext=unconfined_u:unconfined_r:sandbox_t:s0:c42,c409 tclass=capability type=SYSCALL msg=audit(1296152373.153:88): arch=x86_64 syscall=setgid success=yes exit=0 a0=1f5 a1=3bcd19f1c0 a2=1 a3=7fd5557199f0 items=0 ppid=4250 pid=4316 auid=500 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts1 ses=1 comm=plugin-config exe=/usr/lib64/nspluginwrapper/plugin-config subj=unconfined_u:unconfined_r:sandbox_t:s0:c42,c409 key=(null) Hash: plugin-config,sandbox_t,sandbox_t,capability,setgid audit2allow #============= sandbox_t ============== allow sandbox_t self:capability setgid; audit2allow -R #============= sandbox_t ============== allow sandbox_t self:capability setgid;
I get the dbus_contexts Permission denied error too. This system has been upgraded several times and is now at F14 with updates. I just relabelled the system and created a new user. [user@local ~]$ sandbox -X firefox Failed to start message bus: Failed to open "/etc/selinux/targeted/contexts/dbus_contexts": Permission denied EOF in dbus-launch reading address from bus daemon Hangup - but no SE messages or other syslog messages. Strace on the sandbox command shows something that might be relevant: ... [pid 2393] execve("/usr/sbin/seunshare", ["/usr/sbin/seunshare", "-Z", "unconfined_u:unconfined_r:sandbox_x_t:s0:c285,c397", "-t", "/tmp/.sandboxbEz9qw", "-h", "/home/user/.sandbox/.sandboxa9GtmT", "--", "/usr/share/sandbox/sandboxX.sh", "1000x700"], [/* 46 vars */] <unfinished ...> ... [pid 2393] unshare(CLONE_NEWNS) = -1 EPERM (Operation not permitted) [pid 2393] dup(2) = 3 [pid 2393] fcntl64(3, F_GETFL) = 0x8001 (flags O_WRONLY|O_LARGEFILE) [pid 2393] close(3) = 0 [pid 2393] write(2, "Failed to unshare: Operation not permitted\n", 43Failed to unshare: Operation not permitted ) = 43 [pid 2393] exit_group(-1) = ? ... So there was a helpful error message but it was lost somewhere. Too bad. unshare requires CAP_SYS_ADMIN, but it is suid root so I would expect it got the capability that way? -rwsr-xr-x. root root system_u:object_r:seunshare_exec_t:s0 /usr/sbin/seunshare
I have found a bug. Amit, Mads, thanks for that. Could you use the RPM from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=216612 I am going to submit a new update today.
That update works for me. Thanks!
Thanks. It works better for me, but now firefox crashes. See bug 674545 with SE messages in attachment 476560 [details].
selinux-policy-3.9.7-28.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
Mads, does sandbox -X -t sandbox_web_t firefox work for you?
Amit, could you update the karma?
sandbox -X firefox will blow up because the standard SELinux type does not allow connections to http ports, and I guess firefox does not handle this well. Using sandbox_web_t for the type should allow the access.
Yes, thanks, firefox and sandbox_web_t seems to work for me on one machine. Konqueror fails nicely with the default type, while firefox crashes as reported on bug 674545. On another machine it fails creating .sandboxXXX. It might be related to bug 674548, but I don't think I can report success yet.
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Still does not work for me. selinux-policy is version 3.9.7-29. Nothing in /var/log/audit/audit.log. Nothing in /var/log/messages. # sandbox -X xterm Failed to start message bus: Failed to open "/etc/selinux/targeted/contexts/dbus_contexts": Permission denied EOF in dbus-launch reading address from bus daemon Hangup
It works for me. Could you try to reinstall policy and make sure nothing complains on reinstall.
(In reply to comment #15) > It works for me. Well, I'm here because it not works for me! > Could you try to reinstall policy and make sure nothing complains on reinstall. # yum reinstall selinux-policy-3.9.7-29.fc14.noarch selinux-policy-targeted-3.9.7-29.fc14.noarch .... ----------------------------------------------------------------------------------------------------------------------- Total 720 kB/s | 3.1 MB 00:04 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-3.9.7-29.fc14.noarch 1/2 Installing : selinux-policy-targeted-3.9.7-29.fc14.noarch 2/2 yum-updatesd not on the bus Installed: selinux-policy.noarch 0:3.9.7-29.fc14 selinux-policy-targeted.noarch 0:3.9.7-29.fc14 Complete! /var/log/messages: Feb 15 14:31:06 xxx yum[9462]: Installed: selinux-policy-3.9.7-29.fc14.noarch Feb 15 14:32:49 xxx dbus: avc: received policyload notice (seqno=2) Feb 15 14:32:49 xxx dbus: avc: received policyload notice (seqno=2) Feb 15 14:32:53 xxx dbus: [system] Reloaded configuration Feb 15 14:33:34 xxx yum[9462]: Installed: selinux-policy-targeted-3.9.7-29.fc14.noarch Nothing relevant in /var/log/audit/audit.log # sandbox -X xterm Failed to start message bus: Failed to open "/etc/selinux/targeted/contexts/dbus_contexts": Permission denied EOF in dbus-launch reading address from bus daemon Hangup
I temporary disabled selinux (setenforce 0) and start again sandbox -X xterm. This time sandbox start xterm but I have some denials in /var/log/audit/audit.log (but not when selinux is enforced): type=AVC msg=audit(1297788999.742:203): avc: denied { read } for pid=3961 comm="dbus-daemon" name="dbus_contexts" dev=sda5 ino=70403014 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c203,c398 tcontext=system_u:object_r:default_context_t:s0 tclass=file type=AVC msg=audit(1297788999.742:203): avc: denied { open } for pid=3961 comm="dbus-daemon" name="dbus_contexts" dev=sda5 ino=70403014 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c203,c398 tcontext=system_u:object_r:default_context_t:s0 tclass=file type=AVC msg=audit(1297788999.742:204): avc: denied { getattr } for pid=3961 comm="dbus-daemon" path="/etc/selinux/targeted/contexts/dbus_contexts" dev=sda5 ino=70403014 scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c203,c398 tcontext=system_u:object_r:default_context_t:s0 tclass=file type=AVC msg=audit(1297788999.745:205): avc: denied { create } for pid=3963 comm="dbus-daemon" scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c203,c398 tcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c203,c398 tclass=netlink_selinux_socket type=AVC msg=audit(1297788999.746:206): avc: denied { bind } for pid=3963 comm="dbus-daemon" scontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c203,c398 tcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c203,c398 tclass=netlink_selinux_socket
Gabriel, could you add output of # id -Z Also could you try to execute # yum reinstall policycoreutils-sandbox Has it ever worked for you?
(In reply to comment #18) > # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > Has it ever worked for you? sandbox -X ? No. I tried first time around 20-21 january 2011 and did not work. I did not have time until now to investigate the problem.
(In reply to comment #19) > (In reply to comment #18) > > > # id -Z > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > Oops, I meant # id
(In reply to comment #20) > # id uid=500(xxxx) gid=500(xxxx) groups=500(xxxx),10(wheel),501(vboxusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
A full relabeling might have made a difference for me. Perhaps something like "restorecon -Rvn /" will report something interesting.
Gabriel VLASIU and I worked on this via IRC, and we found that his sandbox would not work until we allowed them to read the default_context file.
Ok, added to selinux-policy-3.9.7-31.fc14
Could you grab the latest sandbox policy from Rawhide and back port it to F13 and F14.
Changes should be in the latest F13 and F14 policy. Gabriel, you can test the policy from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=229190
(In reply to comment #26) > Changes should be in the latest F13 and F14 policy. > > Gabriel, you can test the policy from koji for now > > http://koji.fedoraproject.org/koji/buildinfo?buildID=229190 sandbox -X xterm works fine. sandbox -X -t sandbox_web_t firefox does not start. type=AVC msg=audit(1298008831.201:60): avc: denied { read } for pid=2413 comm="sandboxX.sh" path="/home/gabriel/GNUstep/Defaults" dev=loop0 ino=140 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c19,c51 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=AVC msg=audit(1298008831.857:61): avc: denied { create } for pid=2435 comm="dbus-daemon" scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c19,c51 tcontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c19,c51 tclass=netlink_selinux_socket type=AVC msg=audit(1298008832.031:62): avc: denied { execute_no_trans } for pid=2431 comm="xulrunner" path="/usr/lib64/xulrunner-2/xulrunner" dev=sda2 ino=1692707 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c19,c51 tcontext=system_u:object_r:lib_t:s0 tclass=file
restorecon -R -v /usr/lib64/xulrunner-2/xulrunner matchpathcon /usr/lib64/xulrunner-2/xulrunner /usr/lib64/xulrunner-2/xulrunner system_u:object_r:bin_t:s0 The other one looks like it might be a leak.
Actually I need to fix the labeling # matchpathcon /usr/lib64/xulrunner-2/xulrunner /usr/lib64/xulrunner-2/xulrunner system_u:object_r:lib_t:s0 on F13, F14. So try to test it using chcon -t bin_t /usr/lib64/xulrunner-2/xulrunner
(In reply to comment #29) > Actually I need to fix the labeling > > # matchpathcon /usr/lib64/xulrunner-2/xulrunner > /usr/lib64/xulrunner-2/xulrunner system_u:object_r:lib_t:s0 > > on F13, F14. > > So try to test it using > > chcon -t bin_t /usr/lib64/xulrunner-2/xulrunner # ls -lZ /usr/lib64/xulrunner-2/xulrunner -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/lib64/xulrunner-2/xulrunner type=AVC msg=audit(1298035763.595:21): avc: denied { execute_no_trans } for pid=1217 comm="run-mozilla.sh" path="/usr/lib64/xulrunner-2/xulrunner-bin" dev=sda2 ino=1692708 scontext=unconfined_u:unconfined_r:sandbox_web_t:s0:c365,c993 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1298035763.595:21): arch=c000003e syscall=59 success=no exit=-13 a0=21b8ae0 a1=21c3f00 a2=21c3360 a3=7fff3c9cac60 items=0 ppid=1213 pid=1217 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="run-mozilla.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_web_t:s0:c365,c993 key=(null)
The problem is not the policy (I generated one via audit2allow in a hurry available at https://www.vlasiu.net/selinux/sandboxI.te). The real problem is the reboot. I'm not longer able to umount /home and /tmp partition anymore if I run sandbox -X multiple times. During creation of sandboxI.te I had to reboot my computer via power button and not once or twice. My /home and /tmp is an encrypted loop-AES partition. Nothing special about the kernel, is fedora's (latest) kernel with a custom loop module. /tmp partition is automaticaly formated and mounted with a key valid until I reboot (I hacked a bit rc.sysinit). Also rc.sysinit ask me if I want to mount /home partition (noauto in /etc/fstab). If I say yes, I provide the password, partition is mounted. An then /etc/init.d/sandbox start ( iactivated this service recently) to test the sandbox -X firefox. If I run sandbox - I dont know - 10-15 times the seunshare become crazy. Sometimes it's keep the processor up to 100% for more than 10 minutes. Then hald take the same path as seunshare. Is't running for minutes with cpu at 100%. Then this happen I'm not able to reboot since netfs is trying to unmount loop-aes mounted partitons and the unmount get stuck. Once, before reboot, I did a lsof -b and it's keep shoing on screen something like this: lsof: WARNING: can't stat() xfs file system /home/gabriel Output information may be incomplete. lsof: avoiding readlink(/home/gabriel): -b was specified. lsof: avoiding stat(/home/gabriel): -b was specified. lsof: WARNING: can't stat() xfs file system /home/gabriel Output information may be incomplete. lsof: avoiding readlink(/tmp): -b was specified. lsof: avoiding stat(/tmp): -b was specified. lsof: WARNING: can't stat() xfs file system /tmp Output information may be incomplete. I't going to say this over and over again.... and never exit. Power button is required. Now, today I seen something really strange. If I do not mount the /home partition at startup - ok, I do not provide a password so it's not going to be mounted - then /etc/init.d/sandbox start and is asking-me for /home partition password. I provide the password and sandbox start. Now... # ls -l /home # Nothing. Strange. # mount /home on /home type none (rw,bind) ????? # /etc/init.d/sandbox stop Stopping sandbox [ OK ] # mount /home on /home type none (rw,bind) ???????? # losetup -a /dev/loop0: [0005]:5503 (/dev/sda6) offset=8192 encryption=AES256 multi-key-v3 /dev/loop6: [0005]:5502 (/dev/sda5) encryption=AES256 multi-key-v3 loop0 - /home loop6 - /tmp # umount /home # mount | grep home # /etc/init.d/sandbox start Starting sandbox [FAILED] So I think the two issues here are related. For now on until become clear what's going on I'm only to test this in a virtual computer. What exactly /etc/init.d/sandbox does?
One thing you might want to try, remove the sandbox init script. It is not needed anymore, I believe, It is only needed for pam_namespace/xguest, which you are probably not using. There is an open bug on pam_namespace to remove the requirement for this script altogether.