Bug 417721

Since I have no clue how to set this up, could you tell me how you configured
it, and how you tested it?

You can generate the errors as follows. Set up an NX client on another machine
(I use NoMachines 'free' nx client for Windows) and use it to login in to the
freenx server running on a Fedora8 host. Note that to get this to work you will
need to set up a bunch of different ssh keys. (If you need additional help in
setting this up, I can walk you through it)

In case you are not familiar with how it all works. The key to remember is that
first the (remote) client sets up an ssh connection from the client machine to
user 'nx' on the (local) nx server. Then user nx sets up a second local ssh
connection from user nx on the nx server machine to the target user on the nx
server machine.

The first pair of selinux error messages  (comm=sshd, name="nxserver" execute &
read) occur during the first ssh connection from the remote client to user nx on
the nx server machine. /usr/libexec/nx/nxserver is actually user nx's default
shell (as specified in /etc/passwd). This selinux error can be prevented by
changing the selinux context of /etc/libexec/nx/nxserver from
system_u:object_r:bin_t to system_u:object_r:shell_exec_t, presumably in keeping
with nxserver acting as a pseudo shell.

However, I'm not sure if that is the right fix or whether a change should be
made to the selinux policy file. Perhaps that is something you and Axel (the
maintainer of freenx) should discuss.

The other 3 selinux messsges (comm="pam_timestamp"
path="/home/myname/.nx/C-mymachine.mydomain-2001-<hex string>/session" append,
getattr & ioctl) occur after the second ssh connection is made and partway
through the gnome session login. When selinux is enforcing (and these actions
are blocked) the only affect I really notice is that some of the gnome panel
applet icons are missing. Note that the file
/home/myname/.nx/C-mymachine.mydomain-2001-<hex string>/session is a log file
recording communication to the nxserver, including some gnome panel and applet
messages.

Let me know if you need more info....

Hi, I was sick, and now I'm back.
I have reproduced it successfuly, but I don't have clue how to write a correct
new rule for selinux-policy which really works ...
I'll have to discuss it with Dan.
Thank you for patience.

SELinux world is constantly under development, therefore I was a little bit
confused.
Latest packages fixing your problem:
http://people.redhat.com/jkubin/selinux/

THANKS - Looking forward to playing with them

Any idea when these will make it into the next selinux policy updates rpm?

I am using selinux-policy-3.0.8-72.fc8 (vs 3.0.8-69 referenced in the above
link) and *some* of the error messages still persist.

Specifically the "ioctl" and "getattr" errors have gone away.

However, I still get the "append" error:
type=AVC msg=audit(1197264856.629:4512): avc:  denied  { append } for  pid=1845\
4 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C7\
F0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:syst\
em_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file

and I also still get the two nxserver errors ("execute", "read"):
type=AVC msg=audit(1197265599.554:4597): avc:  denied  { execute } for  pid=200\
66 comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:\
sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1197265599.554:4597): avc:  denied  { read } for  pid=20066 \
comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:ssh\
d_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

Yeah, old packages had some issues ... therefore I didn't commit them for
update. Now the problem is fixed - no conflict with SELinux.
http://people.redhat.com/jkubin/selinux/

I'm still getting the following selinux errors with freenx:

denied  { execute } for  pid=3867 comm="sshd" name="nxserver" dev=sda7
ino=1146195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

denied  { read } for  pid=3867 comm="sshd" name="nxserver" dev=sda7 ino=1146195
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

denied  { append } for  pid=4965 comm="pam_timestamp_c"
path="/home/myname/.nx/C-mymachine.domain-2001-6B56685DCDB34243AEF3C0ACD57F3F22/session"
dev=sda7 ino=50960 scontext=unconfined_u:system_r:pam_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file


Am I doing something wrong since I still seem to be getting basically the same
errors. Note I am using:
selinux-policy-targeted-3.0.8-74.fc8.noarch.rpm
nx-2.1.0-22.fc7.i386.rpm
freenx-0.7.1-3.fc8

fixed in selinux-policy-3.0.8-77

I have selinux-policy-3.0.8-81.fc8.noarch.rpm and I am still getting the
following nxserver errors:

denied  { execute } for  pid=29690 comm="sshd" name="nxserver" dev=sda7
ino=1146195 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

denied  { read } for  pid=29690 comm="sshd" name="nxserver" dev=sda7 ino=1146195
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

*Sigh* , Dan forgot to merge my patch for freenx ...
I'll ask him to do it.
Please use my packages until he really merge it.

http://people.redhat.com/jkubin/selinux/F8/

# rpm -U --replacepkgs selinux-policy-*

or

# grep '\(pam_timestamp_c\|nxserver\)' /var/log/audit/audit.log | audit2allow -M
fix4nx
# semodule -i fix4nx.pp

User jkubin's account has been closed

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.