Created attachment 613406 [details] xauth SELInux errors when running xvfb-run inside mock Description of problem: I'm trying to rebuild a package that requires access to the display during its build and test process, and thus needs to use xvfb-run during the package building process. This works fine on the Koji build servers, and locally using mock after using 'setenforce 0' but fails if SELinux is set to the default of enforcing, policy=targeted Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-146.fc17.noarch mock-1.1.26-2.fc17.noarch xorg-x11-xauth-1.0.7-1.fc17.x86_64 (inside mock) xorg-x11-server-Xvfb-1.12.3-1.fc17 (inside mock) How reproducible: Always Steps to Reproduce: 1. mock -r fedora-17-<any> init 2. mock -r fedora-17-<any> install xauth xvfb 3. mock shell 4. xvfb-run true 5. echo $? Actual results: Return code is 127 instead of 0. If a real command is run (e.g. make) xvfb-run returns immediately without printing anything. Also test with dataquay (review request: https://bugzilla.redhat.com/show_bug.cgi?id=857705) Expected results: xvfb-run runs the provided command normally, providing normal outputs and returning the command's exit status Additional info: See attached screenshot for the errors caught by the SELinux troubleshooter.
Could you attach raw AVC msgs from the /var/log/audit/audit.log file?
Created attachment 618440 [details] Additional audit.log lines generated by running xvfb-run inside mock Sure. This is for Fedora 18; my Fedora 17 machine is at home but the failure is identical
Same problem on RHEL6 and mock-1.1.28-1.el6 from EPEL. Problem cannot be solved by a policy module generated by audit2allow because xauth (inside mock, called by xvfb-run) tries to access unlabelled files, generated during a mock build.
Well I don't understand the comment about xauth audit2allow not being allowed to generate a policy for this, since it looks like all you need is: allow xauth_t mock_var_lib_t:chr_file append; More importantly we don't want mock_t transitioning to any other processes. The question I have is how is the xauth_t processes starting. sesearch -T -s mock_t Found 13 semantic te rules: type_transition mock_t mock_build_exec_t : process mock_build_t; type_transition mock_t mock_tmp_t : process mock_build_t; type_transition mock_t tmp_t : file mock_tmp_t; type_transition mock_t tmp_t : dir mock_tmp_t; type_transition mock_t tmp_t : lnk_file mock_tmp_t; type_transition mock_t var_t : file mock_cache_t; type_transition mock_t var_t : dir mock_cache_t; type_transition mock_t abrt_helper_exec_t : process abrt_helper_t; type_transition mock_t mount_exec_t : process mount_t; type_transition mock_t fusermount_exec_t : process mount_t; type_transition mock_t var_lib_t : file mock_var_lib_t; type_transition mock_t var_lib_t : dir mock_var_lib_t; type_transition mock_t mock_var_lib_t : process mock_build_t; (I have just removed the transition to mount_t in Rawhide,) sesearch -T -s mock_build_t Found 7 semantic te rules: type_transition mock_build_t var_lib_t : file mock_var_lib_t; type_transition mock_build_t var_lib_t : dir mock_var_lib_t; type_transition mock_build_t tmp_t : file mock_tmp_t; type_transition mock_build_t tmp_t : dir mock_tmp_t; type_transition mock_build_t var_t : file mock_cache_t; type_transition mock_build_t var_t : dir mock_cache_t; type_transition mock_build_t abrt_helper_exec_t : process abrt_helper_t;
Thinking a little more about this. When you execute mock shell the context is probably running as unconfined_t. sesearch -T -s unconfined_t -t xauth_exec_t Found 1 semantic te rules: type_transition unconfined_t xauth_exec_t : process xauth_t; If unconfined_t executed a xauth_exec_t program then we could have this transition happen.
Backported.
Ah, wrong bug number.
selinux-policy-3.11.1-81.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-81.fc18
selinux-policy-3.11.1-81.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.