Bug 798916 - SELinux is preventing /usr/bin/Xephyr from using the signal access on a process.
SELinux is preventing /usr/bin/Xephyr from using the signal access on a process.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-01 04:22 EST by Germano Massullo
Modified: 2012-03-24 07:08 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-80.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-23 20:37:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Germano Massullo 2012-03-01 04:22:04 EST
Speaking about internet security with the guys in #fedora-selinux on Freenode, they suggested me to try to run firefox in a sandbox

So I first did:
#yum install policycoreutils-sandbox
and then
$sandbox -X -t sandbox_web_t firefox

but I got a black screen with only X mouse pointer, and I got the following SELinux warning.

SELinux is preventing /usr/bin/Xephyr from using the signal access on a process.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       unconfined_u:unconfined_r:sandbox_xserver_t:s0:c68
                              5,c767
Contesto target               unconfined_u:unconfined_r:sandbox_xserver_t:s0:c68
                              5,c767
Oggetti target                 [ process ]
Sorgente                      Xephyr
Percorso della sorgente       /usr/bin/Xephyr
Porta                         <Sconosciuto>
Host                          Magic-4
Sorgente Pacchetti RPM        xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Enforcing
Host Name                     Magic-4
Piattaforma                   Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb
                              21 01:40:47 UTC 2012 x86_64 x86_64
Conteggio avvisi              1
Primo visto                   gio 01 mar 2012 10:05:28 CET
Ultimo visto                  gio 01 mar 2012 10:05:28 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1330592728.579:116): avc:  denied  { signal } for  pid=4034 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 tclass=process


type=SYSCALL msg=audit(1330592728.579:116): arch=x86_64 syscall=tgkill success=no exit=EACCES a0=fc2 a1=fc2 a2=22 a3=0 items=0 ppid=4027 pid=4034 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c685,c767 key=(null)

Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal

audit2allow

#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;

audit2allow -R

#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;



After that they asked me if I was using KDE (yes) so suggested me to use
sandbox -t sandbox_web_t  -W metacity -w 1672x968 -X firefox 
and it worked but it generated the same SELinux warning

SELinux is preventing /usr/bin/Xephyr from using the signal access on a process.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       unconfined_u:unconfined_r:sandbox_xserver_t:s0:c21
                              6,c791
Contesto target               unconfined_u:unconfined_r:sandbox_xserver_t:s0:c21
                              6,c791
Oggetti target                 [ process ]
Sorgente                      Xephyr
Percorso della sorgente       /usr/bin/Xephyr
Porta                         <Sconosciuto>
Host                          Magic-4
Sorgente Pacchetti RPM        xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Enforcing
Host Name                     Magic-4
Piattaforma                   Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb
                              21 01:40:47 UTC 2012 x86_64 x86_64
Conteggio avvisi              1
Primo visto                   gio 01 mar 2012 10:20:03 CET
Ultimo visto                  gio 01 mar 2012 10:20:03 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1330593603.991:118): avc:  denied  { signal } for  pid=4420 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 tclass=process


type=SYSCALL msg=audit(1330593603.991:118): arch=x86_64 syscall=tgkill success=no exit=EACCES a0=1144 a1=1144 a2=22 a3=0 items=0 ppid=4413 pid=4420 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c216,c791 key=(null)

Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal

audit2allow

#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;

audit2allow -R

#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;





Additional infos:
KDE 4.7
nVidia drivers 290.10
Comment 1 Miroslav Grepl 2012-03-01 06:58:22 EST
Could you run it this way

$ sandbox -X -t sandbox_web_t firefox -W metacity

Xephyr does not work for a reason.
Comment 2 Germano Massullo 2012-03-01 07:07:18 EST
Black screen plus selinux warning
Comment 3 Germano Massullo 2012-03-01 07:07:45 EST
sorry black X window, not entire screen
Comment 4 Miroslav Grepl 2012-03-01 07:12:58 EST
Does it work in permissive mode?

$ setenfroce 0
$ sandbox -X -t sandbox_web_t firefox -W metacity
Comment 5 Germano Massullo 2012-03-01 07:24:22 EST
no it doesn't
Comment 6 Miroslav Grepl 2012-03-01 07:26:56 EST
Any errors or warnings in your terminal?
Comment 7 Germano Massullo 2012-03-01 07:37:31 EST
In terminal not, I had another SELinux warning


SELinux is preventing /usr/bin/Xephyr from using the signal access on a process.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that Xephyr should be allowed signal access on processes labeled sandbox_xserver_t by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep Xephyr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       unconfined_u:unconfined_r:sandbox_xserver_t:s0:c48
                              8,c623
Contesto target               unconfined_u:unconfined_r:sandbox_xserver_t:s0:c48
                              8,c623
Oggetti target                 [ process ]
Sorgente                      Xephyr
Percorso della sorgente       /usr/bin/Xephyr
Porta                         <Sconosciuto>
Host                          Magic-4
Sorgente Pacchetti RPM        xorg-x11-server-Xephyr-1.11.4-1.fc16.x86_64
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Magic-4
Piattaforma                   Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb
                              21 01:40:47 UTC 2012 x86_64 x86_64
Conteggio avvisi              1
Primo visto                   gio 01 mar 2012 13:23:45 CET
Ultimo visto                  gio 01 mar 2012 13:23:45 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1330604625.927:147): avc:  denied  { signal } for  pid=5873 comm="Xephyr" scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 tcontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 tclass=process


type=SYSCALL msg=audit(1330604625.927:147): arch=x86_64 syscall=tgkill success=yes exit=0 a0=16f1 a1=16f1 a2=22 a3=0 items=0 ppid=5864 pid=5873 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=Xephyr exe=/usr/bin/Xephyr subj=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c488,c623 key=(null)

Hash: Xephyr,sandbox_xserver_t,sandbox_xserver_t,process,signal

audit2allow

#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;

audit2allow -R

#============= sandbox_xserver_t ==============
allow sandbox_xserver_t self:process signal;
Comment 8 Daniel Walsh 2012-03-01 09:58:51 EST
I see no reason not to allow this.
Comment 9 Miroslav Grepl 2012-03-02 02:46:36 EST
Yes, but I am trying to figure out why it does not work also in permissive mode.
Comment 10 Daniel Walsh 2012-03-02 07:48:58 EST
Try

sandbox -X -t sandbox_web_t -W metacity firefox
Comment 11 Miroslav Grepl 2012-03-02 10:00:07 EST
(In reply to comment #10)
> Try
> 
> sandbox -X -t sandbox_web_t -W metacity firefox

comment #1 and #2
Comment 12 Daniel Walsh 2012-03-02 15:00:01 EST
Except you had

firefox -W metacity

Rather then

-W metacity firefox

Meaning the sandbox never saw the alternate window manager.
Comment 13 Miroslav Grepl 2012-03-02 18:01:24 EST
Ah, you are right.
Comment 14 Germano Massullo 2012-03-03 03:01:17 EST
Have I to do some other special tries?
Comment 15 Miroslav Grepl 2012-03-05 03:56:23 EST
No, just use

$ sandbox -X -t sandbox_web_t -W metacity firefox
Comment 16 Germano Massullo 2012-03-05 04:41:23 EST
it works but it gives the warning
Comment 17 Fedora Update System 2012-03-13 08:25:49 EDT
selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
Comment 18 Fedora Update System 2012-03-20 22:24:58 EDT
Package selinux-policy-3.10.0-80.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
then log in and leave karma (feedback).
Comment 19 Germano Massullo 2012-03-22 09:10:10 EDT
While doing

rpm -Uvh --force http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/81.fc16/noarch/selinux-policy-3.10.0-81.fc16.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/81.fc16/noarch/selinux-policy-targeted-3.10.0-81.fc16.noarch.rpm

I obtained
/usr/share/selinux/devel/include/apps/jockey.if: Syntax error on line 194666 jockey_cache_t [type=IDENTIFIER]

After testing I will relase the karma point
Comment 20 Fedora Update System 2012-03-23 20:37:08 EDT
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Germano Massullo 2012-03-24 07:08:55 EDT
Well done
$sandbox -X -t sandbox_web_t -W metacity firefox
works well

Note You need to log in before you can comment on or make changes to this bug.