Bug 976995 - cannot use anymore a web browser in a sandbox
cannot use anymore a web browser in a sandbox
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: X/OpenGL Maintenance List
Fedora Extras Quality Assurance
:
: 984684 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-22 06:29 EDT by Alphonse Steiner
Modified: 2013-07-22 20:45 EDT (History)
8 users (show)

See Also:
Fixed In Version: xorg-x11-server-1.14.2-5.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-20 05:44:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix the segfault (696 bytes, patch)
2013-07-12 02:14 EDT, Alphonse Steiner
no flags Details | Diff

  None (edit)
Description Alphonse Steiner 2013-06-22 06:29:43 EDT
Description of problem:
The command "sandbox -X -t sandbox_web_t midori" that used to work in fedora 17
fails in fedora 19.

Version-Release number of selected component (if applicable)
selinux-policy-3.12.1-55.fc19


Additional info:
Turning 'dontaudit' off, here are the denials (none otherwise, or only the user_dev_pts with policy release -52):


type=AVC msg=audit(1371893808.778:1881): avc:  denied  { rlimitinh } for  pid=21283 comm="seunshare" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.778:1881): avc:  denied  { siginh } for  pid=21283 comm="seunshare" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.778:1881): avc:  denied  { noatsecure } for  pid=21283 comm="seunshare" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.784:1882): avc:  denied  { read } for  pid=21283 comm="seunshare" name="mls" dev="selinuxfs" ino=12 scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1371893808.787:1884): avc:  denied  { rlimitinh } for  pid=21286 comm="sandboxX.sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.787:1884): avc:  denied  { siginh } for  pid=21286 comm="sandboxX.sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.787:1884): avc:  denied  { noatsecure } for  pid=21286 comm="sandboxX.sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.790:1885): avc:  denied  { open } for  pid=21286 comm="sandboxX.sh" path="/dev/pts/4" dev="devpts" ino=7 scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1371893808.806:1886): avc:  denied  { rlimitinh } for  pid=21295 comm="Xephyr" scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:staff_r:sandbox_xserver_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.806:1886): avc:  denied  { siginh } for  pid=21295 comm="Xephyr" scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:staff_r:sandbox_xserver_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.806:1886): avc:  denied  { noatsecure } for  pid=21295 comm="Xephyr" scontext=staff_u:staff_r:sandbox_web_t:s0:c220,c268 tcontext=staff_u:staff_r:sandbox_xserver_t:s0:c220,c268 tclass=process
type=AVC msg=audit(1371893808.868:1887): avc:  denied  { rlimitinh } for  pid=21298 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.868:1887): avc:  denied  { siginh } for  pid=21298 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.868:1887): avc:  denied  { noatsecure } for  pid=21298 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.916:1888): avc:  denied  { rlimitinh } for  pid=21302 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.916:1888): avc:  denied  { siginh } for  pid=21302 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1371893808.916:1888): avc:  denied  { noatsecure } for  pid=21302 comm="sh" scontext=staff_u:staff_r:staff_seunshare_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
Comment 1 Miroslav Grepl 2013-06-24 04:51:09 EDT
It works for me. Does it work in permissive mode?
Comment 2 Alphonse Steiner 2013-06-24 05:39:47 EDT
Damn, I was sure I have already tried that. Same problem in permissive mode, so the problem is elsewhere. I am feeling quite ashamed now.. you can certainly close this report.
What is your version of sandbox?
It is a fresh install with the same home partition, so it must be a problem with a configuration file somewhere. Does someone have any clue on where to look at? It happens on all accounts, even new ones.
Comment 3 Alphonse Steiner 2013-06-24 06:09:33 EDT
It is the '-X' argument that is faulty. Without it, the application run (at least in permissive mode).
Comment 4 Daniel Walsh 2013-06-24 11:10:04 EDT
No the problem is with Xephry, I believe.

remove --resizable option in  /usr/share/sandbox/sandboxX.sh

And see if this fixes the problem.
Comment 5 Alphonse Steiner 2013-06-30 05:04:47 EDT
I have removed the option. I am using the command "sandbox -X xterm" for testing, and it fails even in permissive mode.
Comment 6 Alphonse Steiner 2013-06-30 05:10:19 EDT
Same result using the file /usr/share/sandbox/sandboxX.sh from fedora 17.
Comment 7 Alphonse Steiner 2013-06-30 05:28:41 EDT
You're right Daniel, the problem is with Xephyr. I have a segfault using it alone:
Xephyr -ac -br -noreset -screen 800x600 :2

(EE) 
(EE) Backtrace:
(EE) 0: Xephyr (OsLookupColor+0x129) [0x4672b9]
(EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7f71e0547f9f]
(EE) 2: Xephyr (XNFprintf+0x9aea) [0x4809fa]
(EE) 3: Xephyr (XNFprintf+0x8dc7) [0x47e967]
(EE) 4: Xephyr (XNFprintf+0x4538) [0x475e78]
(EE) 5: Xephyr (ddxGiveUp+0xf27) [0x48e737]
(EE) 6: Xephyr (AddScreen+0x71) [0x42fdc1]
(EE) 7: Xephyr (ddxGiveUp+0x1409) [0x48f089]
(EE) 8: Xephyr (_init+0x3c4b) [0x4221fb]
(EE) 9: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x7f71dfc94b75]
(EE) 10: Xephyr (_start+0x29) [0x41ecc1]
(EE) 11: ? (?+0x29) [0x29]
(EE) 
(EE) Segmentation fault at address 0x18

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting

So, could you move the report to Xephyr?
Comment 8 Alphonse Steiner 2013-07-12 02:14:27 EDT
Created attachment 772539 [details]
Fix the segfault

The weird point is that I cannot reproduce the segfault on a virtual machine, but it does happen on the main system.
I can fix it with this patch.
For sandbox, Xephyr does not recognise the resizeable option, and I have to remove it: I really bo not understand this point since it works in the VM. Is there something to do to enable it?
I am using the version 1.14.2-3 (+this patch), from the repository updates-testing.
Comment 9 Sergio Monteiro Basto 2013-07-13 12:43:29 EDT
from bug #984178  , this may be fixed, could you please test :

Package xorg-x11-server-1.14.2-4.fc19:
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xorg-x11-server-1.14.2-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12886/xorg-x11-server-1.14.2-4.fc19
then log in and leave karma (feedback).
Comment 10 Alphonse Steiner 2013-07-13 13:53:54 EDT
Does not fix this bug. The Xephyr option -resizeable is still absent, and the patch is still required (segfault otherwise).
Comment 11 Sergio Monteiro Basto 2013-07-13 17:45:11 EDT
(In reply to Alphonse Steiner from comment #10)
> Does not fix this bug. The Xephyr option -resizeable is still absent, and
> the patch is still required (segfault otherwise).

In my point of view, we just should give negative karma when we have regressions, 
this release fixes many bugs and don't make any regression on yours, so you should change your vote, to get this update in stable soon. 
Your patch, will be analysed and hope that hit branch stable soon if really fix this bug (and others) .
Comment 12 Alphonse Steiner 2013-07-14 02:39:13 EDT
Sorry, I am not really aware of this karma thing and was a little hasty I guess. It is true that I do not see any regressions and that it solves other bugs, so giving a bad karma is really harsh. I will change my vore.
Comment 13 Fedora Update System 2013-07-14 21:23:56 EDT
xorg-x11-server-1.14.2-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/xorg-x11-server-1.14.2-5.fc19
Comment 14 Alphonse Steiner 2013-07-15 02:58:06 EDT
Bug not fixed. The option is back in Xephyr, but the patch is still required (segfault otherwise).
Comment 15 Daniel Walsh 2013-07-15 14:25:10 EDT
*** Bug 984684 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2013-07-15 21:23:35 EDT
Package xorg-x11-server-1.14.2-5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xorg-x11-server-1.14.2-5.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12995/xorg-x11-server-1.14.2-5.fc19
then log in and leave karma (feedback).
Comment 17 Alphonse Steiner 2013-07-16 06:28:33 EDT
Just to be sure, I rewrite it: this version does not fix the segfault. The path still work.
Comment 18 Dave Allan 2013-07-18 18:05:17 EDT
xorg-x11-server-Xephyr-1.14.2-5.fc19 fixes sandbox -X for me.  Perhaps this is PBKAC, but the command referenced above:

yum update --enablerepo=updates-testing xorg-x11-server-1.14.2-5.fc19

failed with package not found.

To install the new Xephyr I used:

yum update --enablerepo=updates-testing xorg-x11-server-Xephyr-1.14.2-5.fc19
Comment 19 Sergio Monteiro Basto 2013-07-18 18:22:58 EDT
The correct command should be :

yum update --enablerepo=updates-testing xorg-x11-server\*-1.14.2-5.fc19


This is a bug on message of Fedora Update System, for this specific package .
Comment 20 Alphonse Steiner 2013-07-19 05:17:06 EDT
As I said before, the "sandbox -X" part is fixed with 1.14.2-5 (the option is back).

However, I still have a segfault error when I start Xephyr (_alone_ or by sandbox -X). The bad point is that this segfault is not reproducible everywhere. I have it on the main system, but not on virtual ones. 

For information, it did not happened in FC17, and this version of FC19 is from a fresh install.
Comment 21 Daniel Walsh 2013-07-19 06:23:11 EDT
Does it crash in permissive mode?
Comment 22 Alphonse Steiner 2013-07-19 14:46:22 EDT
Yes it does. This problem is not related to selinux, but to Xephyr. The function 'XGetVisualInfo' returns a NULL pointer, leading to the segfault.
Comment 23 Fedora Update System 2013-07-20 05:44:49 EDT
xorg-x11-server-1.14.2-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Sergio Monteiro Basto 2013-07-22 20:45:26 EDT
(In reply to Alphonse Steiner from comment #22)
> Yes it does. This problem is not related to selinux, but to Xephyr. The
> function 'XGetVisualInfo' returns a NULL pointer, leading to the segfault.

Hi, Alphonse Steiner, are you the author of the patch "Fix the segfault" ? 
if yes , is patch posted to the xorg-devel mailing list, for master ?

Note You need to log in before you can comment on or make changes to this bug.