Bug 119204

Summary: ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohibited by policy
Product: [Fedora] Fedora Reporter: Aleksey Nogin <aleksey>
Component: xinitrcAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, than, twaugh
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-22 14:35:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 119503    
Bug Blocks:    

Description Aleksey Nogin 2004-03-26 11:28:53 UTC 
If the session is _not_ Gnome, kdm's /usr/share/config/kdm/Xsession
redirects the stdout and stderr to $HOME/.xsession-errors, which has
the default type user_home_t (or staff_home_t). The current policy
(1.9-15) would not allow such a file to be written to be certain
programs. In particular, 

- ssh-agent is unable to write to it, which causes it to start using
up all the CPU time

- utemper is unable to write to it, so it fails to list the user's
session in utmp.

I believe that the best solution woukd be to change 
/usr/share/config/kdm/Xsession to use a file in /tmp, not
$HOME/.xsession-errors. Alternatively, the policy could be changed to
mark the $HOME/.xsession-errors specially. Finally, a possible
solution would be to grant utemper and ssh-agent write/append
permissions to arbitrary user files, but I am not sure this is a good
idea.
Comment 1 Daniel Walsh 2004-03-31 03:32:49 UTC 
I am changing  policy for xdm to dontaudit on writes to the $1_home_t,
which should cause the xsession-errors file to be created on /tmp.

Dan
Comment 2 Aleksey Nogin 2004-03-31 03:42:29 UTC 
Will the xauth stuff still work? Just making sure.
Comment 3 Daniel Walsh 2004-03-31 04:01:26 UTC 
Well that actually looks like a bug also.  Seems xdm is not
transitioning to xauth_t, to allow it to write to the home dir.  So I
am  trying to fix that also.  If the transition happens properly
xauth_t can write to the home dir and xdm will fail forcing it to
write to /tmp dir.  
I believe that is the way it should work.

Dan
Comment 4 Aleksey Nogin 2004-03-31 05:36:23 UTC 
What about utemper? I am getting 

audit(1080711300.469:0): avc:  denied  { getattr } for  pid=27008
exe=/usr/sbin/utempter path=/tmp/xses-aleksey.OU2533 dev=hda2
ino=343507 scontext=aleksey:staff_r:utempter_t
tcontext=aleksey:object_r:staff_tmp_t tclass=file

and I was getting similar write denied messages until I added an allow
for them.
Comment 5 Than Ngo 2004-04-01 12:00:31 UTC 
kdebase just uses Xsession file in xinitrc. It assign it to correct
component
Comment 6 Aleksey Nogin 2004-04-01 12:29:12 UTC 
*** Bug 119506 has been marked as a duplicate of this bug. ***
Comment 7 Tim Waugh 2004-04-21 13:13:01 UTC 
It would be nice if this could go in the release notes (the fact that
your .xsession-errors in now in /tmp).
Comment 8 Mike A. Harris 2004-10-05 11:39:57 UTC 
Please try Fedora Core 3 test 2 or later, as this problem may
be fixed now.  If the problem persists, please update the status.

Thanks in advance.