* sandox -X not working with recent Xephyr
@ 2016-09-18 18:39 Laurent Bigonville
2016-09-19 14:39 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Laurent Bigonville @ 2016-09-18 18:39 UTC (permalink / raw)
To: selinux
Hi,
It seems that sandbox -X is not working anymore on debian.
Xephyr (1.18.4) is giving me the following error:
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
The X socket is not created inside the sandbox and then the application
can obviously not connect to it.
I'm not sure how this could be fixed, maybe let's seunshare create that
directory?
Cheers,
Laurent Bigonville
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: sandox -X not working with recent Xephyr
2016-09-18 18:39 sandox -X not working with recent Xephyr Laurent Bigonville
@ 2016-09-19 14:39 ` Stephen Smalley
2016-09-19 18:02 ` Petr Lautrbach
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2016-09-19 14:39 UTC (permalink / raw)
To: Laurent Bigonville, selinux, Petr Lautrbach
On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
> Hi,
>
> It seems that sandbox -X is not working anymore on debian.
>
> Xephyr (1.18.4) is giving me the following error:
>
> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
> created.
>
> The X socket is not created inside the sandbox and then the application
> can obviously not connect to it.
>
> I'm not sure how this could be fixed, maybe let's seunshare create that
> directory?
I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
they have a fix?
That is using the Fedora policycoreutils-sandbox package, which yields a
functioning sandbox -X, e.g. sandbox -X firefox works correctly.
However, if I install sandbox from upstream, e.g.
cd selinux
sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
then sandbox -X firefox fails immediately, and I have the following in
the audit log:
type=SELINUX_ERR msg=audit(1474295659.424:2189):
op=security_bounded_transition seresult=denied
oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
So I guess there are other patches in the Fedora package that are needed?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: sandox -X not working with recent Xephyr
2016-09-19 14:39 ` Stephen Smalley
@ 2016-09-19 18:02 ` Petr Lautrbach
2016-09-19 18:26 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Petr Lautrbach @ 2016-09-19 18:02 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Laurent Bigonville, selinux
On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
> > Hi,
> >
> > It seems that sandbox -X is not working anymore on debian.
> >
> > Xephyr (1.18.4) is giving me the following error:
> >
> > _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
> > created.
> >
> > The X socket is not created inside the sandbox and then the application
> > can obviously not connect to it.
> >
> > I'm not sure how this could be fixed, maybe let's seunshare create that
> > directory?
>
> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
> they have a fix?
>
> That is using the Fedora policycoreutils-sandbox package, which yields a
> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>
> However, if I install sandbox from upstream, e.g.
>
> cd selinux
> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>
> then sandbox -X firefox fails immediately, and I have the following in
> the audit log:
> type=SELINUX_ERR msg=audit(1474295659.424:2189):
> op=security_bounded_transition seresult=denied
> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
It's most likely not related. Same error can be seen in stock Fedora.
> So I guess there are other patches in the Fedora package that are needed?
It's this patch
https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
But the patch bellow works too:
--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
I'm not sure which one is correct.
Petr
--
Petr Lautrbach
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: sandox -X not working with recent Xephyr
2016-09-19 18:02 ` Petr Lautrbach
@ 2016-09-19 18:26 ` Stephen Smalley
2016-09-19 18:54 ` Laurent Bigonville
2016-09-20 12:49 ` Stephen Smalley
0 siblings, 2 replies; 10+ messages in thread
From: Stephen Smalley @ 2016-09-19 18:26 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: Laurent Bigonville, selinux
On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
>>> Hi,
>>>
>>> It seems that sandbox -X is not working anymore on debian.
>>>
>>> Xephyr (1.18.4) is giving me the following error:
>>>
>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
>>> created.
>>>
>>> The X socket is not created inside the sandbox and then the application
>>> can obviously not connect to it.
>>>
>>> I'm not sure how this could be fixed, maybe let's seunshare create that
>>> directory?
>>
>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
>> they have a fix?
>>
>> That is using the Fedora policycoreutils-sandbox package, which yields a
>> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>>
>> However, if I install sandbox from upstream, e.g.
>>
>> cd selinux
>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>>
>> then sandbox -X firefox fails immediately, and I have the following in
>> the audit log:
>> type=SELINUX_ERR msg=audit(1474295659.424:2189):
>> op=security_bounded_transition seresult=denied
>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
>
> It's most likely not related. Same error can be seen in stock Fedora.
>
>> So I guess there are other patches in the Fedora package that are needed?
>
> It's this patch
> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
>
> But the patch bellow works too:
>
> --- a/policycoreutils/sandbox/sandboxX.sh
> +++ b/policycoreutils/sandbox/sandboxX.sh
> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
> </openbox_config>
> EOF
>
> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
> export DISPLAY=:$D
> cat > ~/seremote << __EOF
> #!/bin/sh
>
>
>
> I'm not sure which one is correct.
I don't know either, but the one above does work and seems simpler, so
let's go with that one.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: sandox -X not working with recent Xephyr
2016-09-19 18:26 ` Stephen Smalley
@ 2016-09-19 18:54 ` Laurent Bigonville
2016-09-20 12:49 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Laurent Bigonville @ 2016-09-19 18:54 UTC (permalink / raw)
To: Stephen Smalley, Petr Lautrbach; +Cc: selinux
Le 19/09/16 à 20:26, Stephen Smalley a écrit :
> On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
>> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
>>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
>>>> Hi,
>>>>
>>>> It seems that sandbox -X is not working anymore on debian.
>>>>
>>>> Xephyr (1.18.4) is giving me the following error:
>>>>
>>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
>>>> created.
>>>>
>>>> The X socket is not created inside the sandbox and then the application
>>>> can obviously not connect to it.
>>>>
>>>> I'm not sure how this could be fixed, maybe let's seunshare create that
>>>> directory?
>>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
>>> they have a fix?
>>>
>>> That is using the Fedora policycoreutils-sandbox package, which yields a
>>> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>>>
>>> However, if I install sandbox from upstream, e.g.
>>>
>>> cd selinux
>>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>>>
>>> then sandbox -X firefox fails immediately, and I have the following in
>>> the audit log:
>>> type=SELINUX_ERR msg=audit(1474295659.424:2189):
>>> op=security_bounded_transition seresult=denied
>>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
>>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
>> It's most likely not related. Same error can be seen in stock Fedora.
>>
>>> So I guess there are other patches in the Fedora package that are needed?
>> It's this patch
>> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
>>
>> But the patch bellow works too:
>>
>> --- a/policycoreutils/sandbox/sandboxX.sh
>> +++ b/policycoreutils/sandbox/sandboxX.sh
>> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
>> </openbox_config>
>> EOF
>>
>> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>> export DISPLAY=:$D
>> cat > ~/seremote << __EOF
>> #!/bin/sh
>>
>>
>>
>> I'm not sure which one is correct.
> I don't know either, but the one above does work and seems simpler, so
> let's go with that one.
>
I don't really understand why it's working outside of the sandbox and
why it was working before.
But indeed removing -terminate or add -reset seems to fix it
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: sandox -X not working with recent Xephyr
2016-09-19 18:26 ` Stephen Smalley
2016-09-19 18:54 ` Laurent Bigonville
@ 2016-09-20 12:49 ` Stephen Smalley
2016-09-20 21:56 ` Petr Lautrbach
2016-09-21 15:39 ` [PATCH] sandbox: do not run xmodmap in a new X session Petr Lautrbach
1 sibling, 2 replies; 10+ messages in thread
From: Stephen Smalley @ 2016-09-20 12:49 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: Laurent Bigonville, selinux
On 09/19/2016 02:26 PM, Stephen Smalley wrote:
> On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
>> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
>>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
>>>> Hi,
>>>>
>>>> It seems that sandbox -X is not working anymore on debian.
>>>>
>>>> Xephyr (1.18.4) is giving me the following error:
>>>>
>>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
>>>> created.
>>>>
>>>> The X socket is not created inside the sandbox and then the application
>>>> can obviously not connect to it.
>>>>
>>>> I'm not sure how this could be fixed, maybe let's seunshare create that
>>>> directory?
>>>
>>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
>>> they have a fix?
>>>
>>> That is using the Fedora policycoreutils-sandbox package, which yields a
>>> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>>>
>>> However, if I install sandbox from upstream, e.g.
>>>
>>> cd selinux
>>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>>>
>>> then sandbox -X firefox fails immediately, and I have the following in
>>> the audit log:
>>> type=SELINUX_ERR msg=audit(1474295659.424:2189):
>>> op=security_bounded_transition seresult=denied
>>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
>>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
>>
>> It's most likely not related. Same error can be seen in stock Fedora.
>>
>>> So I guess there are other patches in the Fedora package that are needed?
>>
>> It's this patch
>> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
>>
>> But the patch bellow works too:
>>
>> --- a/policycoreutils/sandbox/sandboxX.sh
>> +++ b/policycoreutils/sandbox/sandboxX.sh
>> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
>> </openbox_config>
>> EOF
>>
>> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>> export DISPLAY=:$D
>> cat > ~/seremote << __EOF
>> #!/bin/sh
>>
>>
>>
>> I'm not sure which one is correct.
>
> I don't know either, but the one above does work and seems simpler, so
> let's go with that one.
So, if you could re-spin that with a proper subject and signed-off-by,
that would be great.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: sandox -X not working with recent Xephyr
2016-09-20 12:49 ` Stephen Smalley
@ 2016-09-20 21:56 ` Petr Lautrbach
2016-09-21 15:39 ` [PATCH] sandbox: do not run xmodmap in a new X session Petr Lautrbach
1 sibling, 0 replies; 10+ messages in thread
From: Petr Lautrbach @ 2016-09-20 21:56 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Laurent Bigonville, selinux
[-- Attachment #1.1: Type: text/plain, Size: 3476 bytes --]
On 09/20/2016 02:49 PM, Stephen Smalley wrote:
> On 09/19/2016 02:26 PM, Stephen Smalley wrote:
>> On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
>>> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
>>>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
>>>>> Hi,
>>>>>
>>>>> It seems that sandbox -X is not working anymore on debian.
>>>>>
>>>>> Xephyr (1.18.4) is giving me the following error:
>>>>>
>>>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
>>>>> created.
>>>>>
>>>>> The X socket is not created inside the sandbox and then the application
>>>>> can obviously not connect to it.
>>>>>
>>>>> I'm not sure how this could be fixed, maybe let's seunshare create that
>>>>> directory?
>>>>
>>>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
>>>> they have a fix?
>>>>
>>>> That is using the Fedora policycoreutils-sandbox package, which yields a
>>>> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>>>>
>>>> However, if I install sandbox from upstream, e.g.
>>>>
>>>> cd selinux
>>>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>>>>
>>>> then sandbox -X firefox fails immediately, and I have the following in
>>>> the audit log:
>>>> type=SELINUX_ERR msg=audit(1474295659.424:2189):
>>>> op=security_bounded_transition seresult=denied
>>>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
>>>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
>>>
>>> It's most likely not related. Same error can be seen in stock Fedora.
>>>
>>>> So I guess there are other patches in the Fedora package that are needed?
>>>
>>> It's this patch
>>> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
>>>
>>> But the patch bellow works too:
>>>
>>> --- a/policycoreutils/sandbox/sandboxX.sh
>>> +++ b/policycoreutils/sandbox/sandboxX.sh
>>> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
>>> </openbox_config>
>>> EOF
>>>
>>> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>>> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>>> export DISPLAY=:$D
>>> cat > ~/seremote << __EOF
>>> #!/bin/sh
>>>
>>>
>>>
>>> I'm not sure which one is correct.
>>
>> I don't know either, but the one above does work and seems simpler, so
>> let's go with that one.
>
> So, if you could re-spin that with a proper subject and signed-off-by,
> that would be great.
>
>
I'll send the patch tomorrow.
In the mean time I try to find out what and I why.
It's the xmodmap command at the beginning of ~/.sandboxrc which doesn't
work and probably resets the server which terminates itself then.
With the following hack I'm able to run Xephyr with -terminate and with
working xmodmap:
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -282,8 +282,9 @@ class Sandbox:
command += "'%s' " % p
fd.write("""#! /bin/sh
#TITLE: %s
-/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
%s &
+sleep 1
+/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
WM_PID=$!
dbus-launch --exit-with-session %s
Petr
--
Petr Lautrbach
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] sandbox: do not run xmodmap in a new X session
2016-09-20 12:49 ` Stephen Smalley
2016-09-20 21:56 ` Petr Lautrbach
@ 2016-09-21 15:39 ` Petr Lautrbach
2016-09-21 16:00 ` Petr Lautrbach
1 sibling, 1 reply; 10+ messages in thread
From: Petr Lautrbach @ 2016-09-21 15:39 UTC (permalink / raw)
To: selinux
xmodmap causes Xephyr X server to reset itself when it's run before wm
and even right after wm. It causes termination of the server as we use
-terminate. The -terminate option seems be important enough in order not
to left running the server when the last client connection is closed.
This patch drops the execution of xmodmap from .sandboxrc until there's
a better solution.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/sandbox/sandbox | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 726ba9b..4ed57c1 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -282,7 +282,7 @@ class Sandbox:
command += "'%s' " % p
fd.write("""#! /bin/sh
#TITLE: %s
-/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
+# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
%s &
WM_PID=$!
dbus-launch --exit-with-session %s
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] sandbox: do not run xmodmap in a new X session
2016-09-21 15:39 ` [PATCH] sandbox: do not run xmodmap in a new X session Petr Lautrbach
@ 2016-09-21 16:00 ` Petr Lautrbach
2016-09-21 16:35 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Petr Lautrbach @ 2016-09-21 16:00 UTC (permalink / raw)
To: selinux
On 09/21/2016 05:39 PM, Petr Lautrbach wrote:
> xmodmap causes Xephyr X server to reset itself when it's run before wm
> and even right after wm. It causes termination of the server as we use
> -terminate. The -terminate option seems be important enough in order not
> to left running the server when the last client connection is closed.
>
> This patch drops the execution of xmodmap from .sandboxrc until there's
> a better solution.
>
Note that when I only removed -terminate from Xephyr command line,
xmodmap didn't modify keymaps anyway.
And using the Fedora patch with "-terminate -reset" is the same as just
drop "-terminate" as "-reset" overrides "-terminate" option and -reset
is used by default.
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
> policycoreutils/sandbox/sandbox | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
> index 726ba9b..4ed57c1 100644
> --- a/policycoreutils/sandbox/sandbox
> +++ b/policycoreutils/sandbox/sandbox
> @@ -282,7 +282,7 @@ class Sandbox:
> command += "'%s' " % p
> fd.write("""#! /bin/sh
> #TITLE: %s
> -/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
> +# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
> %s &
> WM_PID=$!
> dbus-launch --exit-with-session %s
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] sandbox: do not run xmodmap in a new X session
2016-09-21 16:00 ` Petr Lautrbach
@ 2016-09-21 16:35 ` Stephen Smalley
0 siblings, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2016-09-21 16:35 UTC (permalink / raw)
To: Petr Lautrbach, selinux
On 09/21/2016 12:00 PM, Petr Lautrbach wrote:
> On 09/21/2016 05:39 PM, Petr Lautrbach wrote:
>> xmodmap causes Xephyr X server to reset itself when it's run before wm
>> and even right after wm. It causes termination of the server as we use
>> -terminate. The -terminate option seems be important enough in order not
>> to left running the server when the last client connection is closed.
>>
>> This patch drops the execution of xmodmap from .sandboxrc until there's
>> a better solution.
>>
>
> Note that when I only removed -terminate from Xephyr command line,
> xmodmap didn't modify keymaps anyway.
>
> And using the Fedora patch with "-terminate -reset" is the same as just
> drop "-terminate" as "-reset" overrides "-terminate" option and -reset
> is used by default.
Thanks for investigating it further. Applied.
>
>
>
>
>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>> policycoreutils/sandbox/sandbox | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
>> index 726ba9b..4ed57c1 100644
>> --- a/policycoreutils/sandbox/sandbox
>> +++ b/policycoreutils/sandbox/sandbox
>> @@ -282,7 +282,7 @@ class Sandbox:
>> command += "'%s' " % p
>> fd.write("""#! /bin/sh
>> #TITLE: %s
>> -/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
>> +# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
>> %s &
>> WM_PID=$!
>> dbus-launch --exit-with-session %s
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-09-21 16:35 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-18 18:39 sandox -X not working with recent Xephyr Laurent Bigonville
2016-09-19 14:39 ` Stephen Smalley
2016-09-19 18:02 ` Petr Lautrbach
2016-09-19 18:26 ` Stephen Smalley
2016-09-19 18:54 ` Laurent Bigonville
2016-09-20 12:49 ` Stephen Smalley
2016-09-20 21:56 ` Petr Lautrbach
2016-09-21 15:39 ` [PATCH] sandbox: do not run xmodmap in a new X session Petr Lautrbach
2016-09-21 16:00 ` Petr Lautrbach
2016-09-21 16:35 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.