On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
> > Hi,
> > 
> > It seems that sandbox -X is not working anymore on debian.
> > 
> > Xephyr (1.18.4) is giving me the following error:
> > 
> > _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
> > created.
> > 
> > The X socket is not created inside the sandbox and then the application
> > can obviously not connect to it.
> > 
> > I'm not sure how this could be fixed, maybe let's seunshare create that
> > directory?
> 
> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
> they have a fix?
> 
> That is using the Fedora policycoreutils-sandbox package, which yields a
> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
> 
> However, if I install sandbox from upstream, e.g.
> 
> cd selinux
> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
> 
> then sandbox -X firefox fails immediately, and I have the following in
> the audit log:
> type=SELINUX_ERR msg=audit(1474295659.424:2189):
> op=security_bounded_transition seresult=denied
> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002

It's most likely not related. Same error can be seen in stock Fedora.

> So I guess there are other patches in the Fedora package that are needed?

It's this patch
https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d

But the patch bellow works too:

--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
 </openbox_config>
 EOF
 
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE 
-dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI 
-nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
     export DISPLAY=:$D
     cat > ~/seremote << __EOF
 #!/bin/sh



I'm not sure which one is correct.

Petr
-- 
Petr Lautrbach
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to