Bug 475866
Summary: | (staff_u) SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 10 | CC: | dwalsh, mcepl, mgrepl, tmraz, xgl-maint |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssh-5.1p1-4.fc11 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-02-12 15:39:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2008-12-10 20:54:35 UTC
This looks like sshd is leaking the file descriptor to the tcp socket? This socket should not be availble to tools execed by ssh, I believe. fcntl(fd, F_SETFD, FD_CLOEXEC) We already set FD_CLOEXEC on the tcp socket on client. So I am really curious what the tcp socket which is passed to xauth is. I need a 'lsof -c ssh -Z' output generated at the time when you get the AVC. Tomáš, didn't we resolve on IRC, that it is vncviewer -via <name> localhost:3 problem? Yep, the channel sockets have to be FD_CLOEXECed too. The current rawhide already contains the fix. |