Bug 121793

Summary: xauth causes avc denied errors
Product: [Fedora] Fedora Reporter: Thomas Molina <tmolina>
Component: policyAssignee: Russell Coker <rcoker>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: pgraner
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-17 01:35:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Molina 2004-04-27 21:05:31 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040422

Description of problem:
Any activity requiring use of xauth on my system causes an avc denied
error.

Version-Release number of selected component (if applicable):
policy-1.11.2-18

How reproducible:
Always

Steps to Reproduce:
1. use any program requiring xauth
2. 
3.
    

Actual Results:  Apr 27 16:50:21 dad kernel: audit(1083099021.090:0):
avc:  denied  { write } for  pid=8275 exe=/usr/X11R6/bin/xauth
name=tmolina dev=hdd1 ino=15651 scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr 27 16:50:21 dad kernel: audit(1083099021.090:0): avc:  denied  {
add_name } for  pid=8275 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr 27 16:50:21 dad kernel: audit(1083099021.090:0): avc:  denied  {
create } for  pid=8275 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.091:0): avc:  denied  {
link } for  pid=8275 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
dev=hdd1 ino=15899 scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.091:0): avc:  denied  {
write } for  pid=8275 exe=/usr/X11R6/bin/xauth name=.Xauthority
dev=hdd1 ino=15772 scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.092:0): avc:  denied  {
read } for  pid=8275 exe=/usr/X11R6/bin/xauth name=.Xauthority
dev=hdd1 ino=15772 scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.092:0): avc:  denied  {
getattr } for  pid=8275 exe=/usr/X11R6/bin/xauth
path=/home/tmolina/.Xauthority dev=hdd1 ino=15772
scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.093:0): avc:  denied  {
remove_name } for  pid=8275 exe=/usr/X11R6/bin/xauth
name=.Xauthority-c dev=hdd1 ino=15899
scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr 27 16:50:21 dad kernel: audit(1083099021.093:0): avc:  denied  {
unlink } for  pid=8275 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
dev=hdd1 ino=15899 scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.094:0): avc:  denied  {
write } for  pid=8274 exe=/usr/sbin/userhelper name=root dev=hda1
ino=507905 scontext=user_u:user_r:userhelper_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Apr 27 16:50:21 dad kernel: audit(1083099021.094:0): avc:  denied  {
add_name } for  pid=8274 exe=/usr/sbin/userhelper name=.xauthZWroqx
scontext=user_u:user_r:userhelper_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Apr 27 16:50:21 dad kernel: audit(1083099021.095:0): avc:  denied  {
create } for  pid=8274 exe=/usr/sbin/userhelper name=.xauthZWroqx
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.095:0): avc:  denied  {
setattr } for  pid=8274 exe=/usr/sbin/userhelper name=.xauthZWroqx
dev=hda1 ino=508148 scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.100:0): avc:  denied  {
link } for  pid=8276 exe=/usr/X11R6/bin/xauth name=.xauthZWroqx-c
dev=hda1 ino=508162 scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.101:0): avc:  denied  {
write } for  pid=8276 exe=/usr/X11R6/bin/xauth name=.xauthZWroqx
dev=hda1 ino=508148 scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.102:0): avc:  denied  {
read } for  pid=8276 exe=/usr/X11R6/bin/xauth name=.xauthZWroqx
dev=hda1 ino=508148 scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.102:0): avc:  denied  {
getattr } for  pid=8276 exe=/usr/X11R6/bin/xauth
path=/root/.xauthZWroqx dev=hda1 ino=508148
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
Apr 27 16:50:21 dad kernel: audit(1083099021.102:0): avc:  denied  {
remove_name } for  pid=8276 exe=/usr/X11R6/bin/xauth name=.xauthZWroqx
dev=hda1 ino=508148 scontext=user_u:user_r:userhelper_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
Apr 27 16:50:21 dad kernel: audit(1083099021.103:0): avc:  denied  {
unlink } for  pid=8276 exe=/usr/X11R6/bin/xauth name=.xauthZWroqx
dev=hda1 ino=508148 scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file


Additional info:  This is similar to bug 120108 which says the bug was
closed in rawhide, but I am still getting it.
Comment 1 Daniel Walsh 2004-04-28 20:29:42 UTC 
Converted userhelper policy to a macro so this will work.

Fixed in policy-1.11.2-21

Dan
Comment 2 Thomas Molina 2004-04-29 09:52:40 UTC 
Apparently it hasn't made it into Rawhide yet.  I will try it when it
is available for update.
Comment 3 Thomas Molina 2004-05-13 23:30:48 UTC 
I am up to date with Fedora Core 2 Test 3.  Policy is now
policy-1.11.3-3.  I still get these messages:

May 13 19:14:55 dad kernel: audit(1084490095.198:0): avc:  denied  {
execute_no_trans } for  pid=12981 exe=/usr/sbin/userhelper
path=/usr/X11R6/bin/xauth dev=hda1 ino=393468
scontext=user_u:user_r:user_userhelper_t
tcontext=system_u:object_r:xauth_exec_t tclass=file
May 13 19:14:55 dad kernel: audit(1084490095.236:0): avc:  denied  {
write } for  pid=12981 exe=/usr/X11R6/bin/xauth name=tmolina dev=hdd1
ino=15651 scontext=user_u:user_r:user_userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
May 13 19:14:55 dad kernel: audit(1084490095.237:0): avc:  denied  {
add_name } for  pid=12981 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
scontext=user_u:user_r:user_userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
May 13 19:14:55 dad kernel: audit(1084490095.237:0): avc:  denied  {
create } for  pid=12981 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
scontext=user_u:user_r:user_userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
May 13 19:14:55 dad kernel: audit(1084490095.237:0): avc:  denied  {
link } for  pid=12981 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
dev=hdd1 ino=17277 scontext=user_u:user_r:user_userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
May 13 19:14:55 dad kernel: audit(1084490095.238:0): avc:  denied  {
write } for  pid=12981 exe=/usr/X11R6/bin/xauth name=.Xauthority
dev=hdd1 ino=16667 scontext=user_u:user_r:user_userhelper_t
tcontext=system_u:object_r:user_home_xauth_t tclass=fileMay 13
19:14:55 dad kernel: audit(1084490095.238:0): avc:  denied  {
remove_name } for  pid=12981 exe=/usr/X11R6/bin/xauth
name=.Xauthority-c dev=hdd1 ino=17277
scontext=user_u:user_r:user_userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
May 13 19:14:55 dad kernel: audit(1084490095.238:0): avc:  denied  {
unlink } for  pid=12981 exe=/usr/X11R6/bin/xauth name=.Xauthority-c
dev=hdd1 ino=17277 scontext=user_u:user_r:user_userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
Comment 4 Thomas Molina 2004-10-17 01:35:16 UTC 
Please close this bug.  It is no longer reproducable under current
Fedora Core.