Le 19/09/16 à 20:26, Stephen Smalley a écrit :
On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
Hi,

It seems that sandbox -X is not working anymore on debian.

Xephyr (1.18.4) is giving me the following error:

_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
created.

The X socket is not created inside the sandbox and then the application
can obviously not connect to it.

I'm not sure how this could be fixed, maybe let's seunshare create that
directory?
I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
they have a fix?

That is using the Fedora policycoreutils-sandbox package, which yields a
functioning sandbox -X, e.g. sandbox -X firefox works correctly.

However, if I install sandbox from upstream, e.g.

cd selinux
sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel

then sandbox -X firefox fails immediately, and I have the following in
the audit log:
type=SELINUX_ERR msg=audit(1474295659.424:2189):
op=security_bounded_transition seresult=denied
oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
It's most likely not related. Same error can be seen in stock Fedora.

So I guess there are other patches in the Fedora package that are needed?
It's this patch
https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d

But the patch bellow works too:

--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
  </openbox_config>
  EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp 
-displayfd 5 5>&1 2>/dev/null) | while read D; do
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
  #!/bin/sh



I'm not sure which one is correct.
I don't know either, but the one above does work and seems simpler, so
let's go with that one.

I don't really understand why it's working outside of the sandbox and why it was working before.

But indeed removing -terminate or add -reset seems to fix it
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to