Le 19/09/16 à 20:26, Stephen Smalley a écrit :
I don't really understand why it's working outside of the sandbox and
why it was working before.
On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
It seems that sandbox -X is not working anymore on debian.
Xephyr (1.18.4) is giving me the following error:
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
The X socket is not created inside the sandbox and then the application
can obviously not connect to it.
I'm not sure how this could be fixed, maybe let's seunshare create that
I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
they have a fix?
That is using the Fedora policycoreutils-sandbox package, which yields a
functioning sandbox -X, e.g. sandbox -X firefox works correctly.
However, if I install sandbox from upstream, e.g.
sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
then sandbox -X firefox fails immediately, and I have the following in
the audit log:
It's most likely not related. Same error can be seen in stock Fedora.
So I guess there are other patches in the Fedora package that are needed?
It's this patch
But the patch bellow works too:
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp
-displayfd 5 5>&1 2>/dev/null) | while read D; do
cat > ~/seremote << __EOF
I'm not sure which one is correct.
I don't know either, but the one above does work and seems simpler, so
let's go with that one.
But indeed removing -terminate or add -reset seems to fix it
Selinux mailing list
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.