On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
> Hi,
> 
> It seems that sandbox -X is not working anymore on debian.
> 
> Xephyr (1.18.4) is giving me the following error:
> 
> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
> created.
> 
> The X socket is not created inside the sandbox and then the application
> can obviously not connect to it.
> 
> I'm not sure how this could be fixed, maybe let's seunshare create that
> directory?

I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
they have a fix?

That is using the Fedora policycoreutils-sandbox package, which yields a
functioning sandbox -X, e.g. sandbox -X firefox works correctly.

However, if I install sandbox from upstream, e.g.

cd selinux
sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel

then sandbox -X firefox fails immediately, and I have the following in
the audit log:
type=SELINUX_ERR msg=audit(1474295659.424:2189):
op=security_bounded_transition seresult=denied
oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002

So I guess there are other patches in the Fedora package that are needed?
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to