RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 970205 - Cannot run xvfb-run in mock with SELinux set to enforcing, targeted
Summary: Cannot run xvfb-run in mock with SELinux set to enforcing, targeted
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 857709
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-03 16:53 UTC by Jonathan Underwood
Modified: 2015-02-25 10:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 857709
Environment:
Last Closed: 2015-02-25 10:53:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jonathan Underwood 2013-06-03 16:53:09 UTC
+++ This bug was initially created as a clone of Bug #857709 +++

This affects RHEL 6.4 as well - any chance of pushing the fix to that as well?


Description of problem:
I'm trying to rebuild a package that requires access to the display during its build and test process, and thus needs to use xvfb-run during the package building process.

This works fine on the Koji build servers, and locally using mock after using 'setenforce 0' but fails if SELinux is set to the default of enforcing, policy=targeted

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-146.fc17.noarch
mock-1.1.26-2.fc17.noarch
xorg-x11-xauth-1.0.7-1.fc17.x86_64 (inside mock)
xorg-x11-server-Xvfb-1.12.3-1.fc17 (inside mock)

How reproducible:
Always

Steps to Reproduce:
1. mock -r fedora-17-<any> init
2. mock -r fedora-17-<any> install xauth xvfb 
3. mock shell
4. xvfb-run true
5. echo $?
  
Actual results:
Return code is 127 instead of 0. If a real command is run (e.g. make) xvfb-run returns immediately without printing anything. Also test with dataquay (review request: https://bugzilla.redhat.com/show_bug.cgi?id=857705)

Expected results:
xvfb-run runs the provided command normally, providing normal outputs and returning the command's exit status

Additional info:
See attached screenshot for the errors caught by the SELinux troubleshooter.

--- Additional comment from Miroslav Grepl on 2012-09-17 03:59:11 EDT ---

Could you attach raw AVC msgs from the /var/log/audit/audit.log file?

--- Additional comment from Michel Alexandre Salim on 2012-09-28 03:00:04 EDT ---

Sure. This is for Fedora 18; my Fedora 17 machine is at home but the failure is identical

--- Additional comment from Joachim Katzer on 2013-01-03 14:44:24 EST ---

Same problem on RHEL6 and mock-1.1.28-1.el6 from EPEL.

Problem cannot be solved by a policy module generated by audit2allow because xauth (inside mock, called by xvfb-run) tries to access unlabelled files, generated during a mock build.

--- Additional comment from Daniel Walsh on 2013-02-19 23:55:42 EST ---

Well I don't understand the comment about xauth audit2allow not being allowed to generate a policy for this, since it looks like all you need is:

allow xauth_t mock_var_lib_t:chr_file append;

More importantly we don't want mock_t transitioning to any other processes.  The question I have is how is the xauth_t processes starting.

 sesearch -T -s mock_t 
Found 13 semantic te rules:
   type_transition mock_t mock_build_exec_t : process mock_build_t; 
   type_transition mock_t mock_tmp_t : process mock_build_t; 
   type_transition mock_t tmp_t : file mock_tmp_t; 
   type_transition mock_t tmp_t : dir mock_tmp_t; 
   type_transition mock_t tmp_t : lnk_file mock_tmp_t; 
   type_transition mock_t var_t : file mock_cache_t; 
   type_transition mock_t var_t : dir mock_cache_t; 
   type_transition mock_t abrt_helper_exec_t : process abrt_helper_t; 
   type_transition mock_t mount_exec_t : process mount_t; 
   type_transition mock_t fusermount_exec_t : process mount_t; 
   type_transition mock_t var_lib_t : file mock_var_lib_t; 
   type_transition mock_t var_lib_t : dir mock_var_lib_t; 
   type_transition mock_t mock_var_lib_t : process mock_build_t; 

(I have just removed the transition to mount_t in Rawhide,)

sesearch -T -s mock_build_t 
Found 7 semantic te rules:
   type_transition mock_build_t var_lib_t : file mock_var_lib_t; 
   type_transition mock_build_t var_lib_t : dir mock_var_lib_t; 
   type_transition mock_build_t tmp_t : file mock_tmp_t; 
   type_transition mock_build_t tmp_t : dir mock_tmp_t; 
   type_transition mock_build_t var_t : file mock_cache_t; 
   type_transition mock_build_t var_t : dir mock_cache_t; 
   type_transition mock_build_t abrt_helper_exec_t : process abrt_helper_t;

--- Additional comment from Daniel Walsh on 2013-02-20 02:44:47 EST ---

Thinking a little more about this.  When you execute mock shell the context is probably running as unconfined_t.

sesearch -T -s unconfined_t -t  xauth_exec_t
Found 1 semantic te rules:
   type_transition unconfined_t xauth_exec_t : process xauth_t; 


If unconfined_t executed a xauth_exec_t program then we could have this transition happen.

--- Additional comment from Miroslav Grepl on 2013-02-20 05:28:17 EST ---

Backported.

--- Additional comment from Miroslav Grepl on 2013-02-20 05:28:53 EST ---

Ah, wrong bug number.

--- Additional comment from Fedora Update System on 2013-02-22 03:22:10 EST ---

selinux-policy-3.11.1-81.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-81.fc18

--- Additional comment from Fedora Update System on 2013-02-24 04:01:25 EST ---

selinux-policy-3.11.1-81.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 2 Wolfgang Ulbrich 2013-07-21 15:49:27 UTC
I run into the same error if i try to build caja-dropbox at rpmfusion build server.
http://buildsys.rpmfusion.org/build-status/job.psp?uid=17892
http://buildsys.rpmfusion.org/logs/fedora-development-rpmfusion_nonfree/17892-caja-dropbox-1.6.0-3.fc20/x86_64/build.log

+ cd nautilus-dropbox-1.6.0
+ xvfb-run -a ./configure 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches  -m64 -mtune=generic'
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.2XwVZo (%build)
    Bad exit status from /var/tmp/rpm-tmp.2XwVZo (%build)
Child return code was: 1
EXCEPTION: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target x86_64 --nodeps builddir/build/SPECS/caja-dropbox.spec']
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/mockbuild/trace_decorator.py", line 70, in trace
    result = func(*args, **kw)
  File "/usr/lib/python2.6/site-packages/mockbuild/util.py", line 352, in do
    raise mockbuild.exception.Error, ("Command failed. See logs for output.\n # %s" % (command,), child.returncode)
Error: Command failed. See logs for output.
 # ['bash', '--login', '-c', 'rpmbuild -bb --target x86_64 --nodeps builddir/build/SPECS/caja-dropbox.spec']
LEAVE do --> EXCEPTION RAISED

It would be very helpfull if you could fix that for RHEL6 too.

Thank you

Comment 3 Miroslav Grepl 2013-08-07 06:11:01 UTC
Well the problem is with mock+RHEL6. Where we don't have a support for mock. Could you run it on RHEL6 system and attach actual AVC msgs?

Comment 4 Wolfgang Ulbrich 2013-08-07 10:03:16 UTC
Sorry, i don't have a RHEL6 system.


Note You need to log in before you can comment on or make changes to this bug.