Speaking about internet security with the guys in #fedora-selinux on Freenode, they suggested me to try to run firefox in a sandbox So I first did: #yum install policycoreutils-sandbox and then $sandbox -X -t sandbox_web_t firefox but I got a black screen with only X mouse pointer, and I got the following SELinux warning. SELinux is preventing /usr/bin/Xephyr from using the signal access on a process. ***** Plugin catchall (100. confidence) suggerisce**************************** Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default. Quindiyou should report this as a bug. You can generate a local policy module to allow this access. Fai allow this access for now by executing: # grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:sandbox_xserver_t:s0:c68 5,c767 Contesto target unconfined_u:unconfined_r:sandbox_xserver_t:s0:c68 5,c767 Oggetti target [ process ] Sorgente Xephyr Percorso della sorgente /usr/bin/Xephyr Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64 Pacchetti RPM target RPM della policy selinux-policy-3.10.0-75.fc16.noarch Selinux abilitato True Tipo di policy targeted Modalità Enforcing Enforcing Host Name Magic-4 Piattaforma Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64 Conteggio avvisi 1 Primo visto gio 01 mar 2012 10:05:28 CET Ultimo visto gio 01 mar 2012 10:05:28 CET ID locale Messaggi Raw Audit type=AVC msg=audit(1330592728.579:116): avc: denied { signal } for pid=4034 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 tclass=process type=SYSCALL msg=audit(1330592728.579:116): arch=x86_64 syscall=tgkill success=no exit=EACCES a0=fc2 a1=fc2 a2=22 a3=0 items=0 ppid=4027 pid=4034 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 key=(null) Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal audit2allow #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; audit2allow -R #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; After that they asked me if I was using KDE (yes) so suggested me to use sandbox -t sandbox_web_t -W metacity -w 1672x968 -X firefox and it worked but it generated the same SELinux warning SELinux is preventing /usr/bin/Xephyr from using the signal access on a process. ***** Plugin catchall (100. confidence) suggerisce**************************** Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default. Quindiyou should report this as a bug. You can generate a local policy module to allow this access. Fai allow this access for now by executing: # grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:sandbox_xserver_t:s0:c21 6,c791 Contesto target unconfined_u:unconfined_r:sandbox_xserver_t:s0:c21 6,c791 Oggetti target [ process ] Sorgente Xephyr Percorso della sorgente /usr/bin/Xephyr Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64 Pacchetti RPM target RPM della policy selinux-policy-3.10.0-75.fc16.noarch Selinux abilitato True Tipo di policy targeted Modalità Enforcing Enforcing Host Name Magic-4 Piattaforma Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64 Conteggio avvisi 1 Primo visto gio 01 mar 2012 10:20:03 CET Ultimo visto gio 01 mar 2012 10:20:03 CET ID locale Messaggi Raw Audit type=AVC msg=audit(1330593603.991:118): avc: denied { signal } for pid=4420 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 tclass=process type=SYSCALL msg=audit(1330593603.991:118): arch=x86_64 syscall=tgkill success=no exit=EACCES a0=1144 a1=1144 a2=22 a3=0 items=0 ppid=4413 pid=4420 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 key=(null) Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal audit2allow #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; audit2allow -R #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; Additional infos: KDE 4.7 nVidia drivers 290.10
Could you run it this way $ sandbox -X -t sandbox_web_t firefox -W metacity Xephyr does not work for a reason.
Black screen plus selinux warning
sorry black X window, not entire screen
Does it work in permissive mode? $ setenfroce 0 $ sandbox -X -t sandbox_web_t firefox -W metacity
no it doesn't
Any errors or warnings in your terminal?
In terminal not, I had another SELinux warning SELinux is preventing /usr/bin/Xephyr from using the signal access on a process. ***** Plugin catchall (100. confidence) suggerisce**************************** Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default. Quindiyou should report this as a bug. You can generate a local policy module to allow this access. Fai allow this access for now by executing: # grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Informazioni addizionali: Contesto della sorgente unconfined_u:unconfined_r:sandbox_xserver_t:s0:c48 8,c623 Contesto target unconfined_u:unconfined_r:sandbox_xserver_t:s0:c48 8,c623 Oggetti target [ process ] Sorgente Xephyr Percorso della sorgente /usr/bin/Xephyr Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64 Pacchetti RPM target RPM della policy selinux-policy-3.10.0-75.fc16.noarch Selinux abilitato True Tipo di policy targeted Modalità Enforcing Permissive Host Name Magic-4 Piattaforma Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64 Conteggio avvisi 1 Primo visto gio 01 mar 2012 13:23:45 CET Ultimo visto gio 01 mar 2012 13:23:45 CET ID locale Messaggi Raw Audit type=AVC msg=audit(1330604625.927:147): avc: denied { signal } for pid=5873 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 tclass=process type=SYSCALL msg=audit(1330604625.927:147): arch=x86_64 syscall=tgkill success=yes exit=0 a0=16f1 a1=16f1 a2=22 a3=0 items=0 ppid=5864 pid=5873 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 key=(null) Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal audit2allow #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal; audit2allow -R #============= sandbox_xserver_t ============== allow sandbox_xserver_t self:process signal;
I see no reason not to allow this.
Yes, but I am trying to figure out why it does not work also in permissive mode.
Try sandbox -X -t sandbox_web_t -W metacity firefox
(In reply to comment #10) > Try > > sandbox -X -t sandbox_web_t -W metacity firefox comment #1 and #2
Except you had firefox -W metacity Rather then -W metacity firefox Meaning the sandbox never saw the alternate window manager.
Ah, you are right.
Have I to do some other special tries?
No, just use $ sandbox -X -t sandbox_web_t -W metacity firefox
it works but it gives the warning
selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
Package selinux-policy-3.10.0-80.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 then log in and leave karma (feedback).
While doing rpm -Uvh --force http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/81.fc16/noarch/selinux-policy-3.10.0-81.fc16.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/81.fc16/noarch/selinux-policy-targeted-3.10.0-81.fc16.noarch.rpm I obtained /usr/share/selinux/devel/include/apps/jockey.if: Syntax error on line 194666 jockey_cache_t [type=IDENTIFIER] After testing I will relase the karma point
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Well done $sandbox -X -t sandbox_web_t -W metacity firefox works well