Bug 857709 - Cannot run xvfb-run in mock with SELinux set to enforcing, targeted
Summary: Cannot run xvfb-run in mock with SELinux set to enforcing, targeted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 18
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 970205
TreeView+ depends on / blocked
 
Reported: 2012-09-16 11:48 UTC by Michel Lind
Modified: 2013-06-03 16:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 970205 (view as bug list)
Environment:
Last Closed: 2013-02-24 09:01:22 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
xauth SELInux errors when running xvfb-run inside mock (45.08 KB, image/png)
2012-09-16 11:48 UTC, Michel Lind
no flags Details
Additional audit.log lines generated by running xvfb-run inside mock (5.31 KB, patch)
2012-09-28 07:00 UTC, Michel Lind
no flags Details | Diff

Description Michel Lind 2012-09-16 11:48:09 UTC
Created attachment 613406 [details]
xauth SELInux errors when running xvfb-run inside mock

Description of problem:
I'm trying to rebuild a package that requires access to the display during its build and test process, and thus needs to use xvfb-run during the package building process.

This works fine on the Koji build servers, and locally using mock after using 'setenforce 0' but fails if SELinux is set to the default of enforcing, policy=targeted

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-146.fc17.noarch
mock-1.1.26-2.fc17.noarch
xorg-x11-xauth-1.0.7-1.fc17.x86_64 (inside mock)
xorg-x11-server-Xvfb-1.12.3-1.fc17 (inside mock)

How reproducible:
Always

Steps to Reproduce:
1. mock -r fedora-17-<any> init
2. mock -r fedora-17-<any> install xauth xvfb 
3. mock shell
4. xvfb-run true
5. echo $?
  
Actual results:
Return code is 127 instead of 0. If a real command is run (e.g. make) xvfb-run returns immediately without printing anything. Also test with dataquay (review request: https://bugzilla.redhat.com/show_bug.cgi?id=857705)

Expected results:
xvfb-run runs the provided command normally, providing normal outputs and returning the command's exit status

Additional info:
See attached screenshot for the errors caught by the SELinux troubleshooter.

Comment 1 Miroslav Grepl 2012-09-17 07:59:11 UTC
Could you attach raw AVC msgs from the /var/log/audit/audit.log file?

Comment 2 Michel Lind 2012-09-28 07:00:04 UTC
Created attachment 618440 [details]
Additional audit.log lines generated by running xvfb-run inside mock

Sure. This is for Fedora 18; my Fedora 17 machine is at home but the failure is identical

Comment 3 Joachim Katzer 2013-01-03 19:44:24 UTC
Same problem on RHEL6 and mock-1.1.28-1.el6 from EPEL.

Problem cannot be solved by a policy module generated by audit2allow because xauth (inside mock, called by xvfb-run) tries to access unlabelled files, generated during a mock build.

Comment 4 Daniel Walsh 2013-02-20 04:55:42 UTC
Well I don't understand the comment about xauth audit2allow not being allowed to generate a policy for this, since it looks like all you need is:

allow xauth_t mock_var_lib_t:chr_file append;

More importantly we don't want mock_t transitioning to any other processes.  The question I have is how is the xauth_t processes starting.

 sesearch -T -s mock_t 
Found 13 semantic te rules:
   type_transition mock_t mock_build_exec_t : process mock_build_t; 
   type_transition mock_t mock_tmp_t : process mock_build_t; 
   type_transition mock_t tmp_t : file mock_tmp_t; 
   type_transition mock_t tmp_t : dir mock_tmp_t; 
   type_transition mock_t tmp_t : lnk_file mock_tmp_t; 
   type_transition mock_t var_t : file mock_cache_t; 
   type_transition mock_t var_t : dir mock_cache_t; 
   type_transition mock_t abrt_helper_exec_t : process abrt_helper_t; 
   type_transition mock_t mount_exec_t : process mount_t; 
   type_transition mock_t fusermount_exec_t : process mount_t; 
   type_transition mock_t var_lib_t : file mock_var_lib_t; 
   type_transition mock_t var_lib_t : dir mock_var_lib_t; 
   type_transition mock_t mock_var_lib_t : process mock_build_t; 

(I have just removed the transition to mount_t in Rawhide,)

sesearch -T -s mock_build_t 
Found 7 semantic te rules:
   type_transition mock_build_t var_lib_t : file mock_var_lib_t; 
   type_transition mock_build_t var_lib_t : dir mock_var_lib_t; 
   type_transition mock_build_t tmp_t : file mock_tmp_t; 
   type_transition mock_build_t tmp_t : dir mock_tmp_t; 
   type_transition mock_build_t var_t : file mock_cache_t; 
   type_transition mock_build_t var_t : dir mock_cache_t; 
   type_transition mock_build_t abrt_helper_exec_t : process abrt_helper_t;

Comment 5 Daniel Walsh 2013-02-20 07:44:47 UTC
Thinking a little more about this.  When you execute mock shell the context is probably running as unconfined_t.

sesearch -T -s unconfined_t -t  xauth_exec_t
Found 1 semantic te rules:
   type_transition unconfined_t xauth_exec_t : process xauth_t; 


If unconfined_t executed a xauth_exec_t program then we could have this transition happen.

Comment 6 Miroslav Grepl 2013-02-20 10:28:17 UTC
Backported.

Comment 7 Miroslav Grepl 2013-02-20 10:28:53 UTC
Ah, wrong bug number.

Comment 8 Fedora Update System 2013-02-22 08:22:10 UTC
selinux-policy-3.11.1-81.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-81.fc18

Comment 9 Fedora Update System 2013-02-24 09:01:25 UTC
selinux-policy-3.11.1-81.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.