Bug 475866

Summary: (staff_u) SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t.
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, mcepl, mgrepl, tmraz, xgl-maint
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-5.1p1-4.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-12 15:39:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2008-12-10 20:54:35 UTC 
I get this anytime I run ssh -Y from the computer with staff_u enabled. I don't think that ssh -Y is something so horrible to be avoided, right?

---------------------
SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t.

Podrobný popis:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:xauth_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:staff_r:staff_ssh_t:SystemLow-SystemHigh
Objekty cíle                 socket [ tcp_socket ]
Zdroj                         xauth
Cesta zdroje                  /usr/bin/xauth
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          xorg-x11-xauth-1.0.2-5.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-30.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           3
Poprvé viděno               St 10. prosinec 2008, 12:18:53 CET
Naposledy viděno             St 10. prosinec 2008, 14:34:42 CET
Místní ID                   3557195a-07f8-4975-8688-6767dc96c1c1
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228916082.717:13514): avc:  denied  { read write } for  pid=8102 comm="xauth" path="socket:[5989399]" dev=sockfs ino=5989399 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket

node=viklef type=AVC msg=audit(1228916082.717:13514): avc:  denied  { read write } for  pid=8102 comm="xauth" path="socket:[5989400]" dev=sockfs ino=5989400 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket

node=viklef type=SYSCALL msg=audit(1228916082.717:13514): arch=40000003 syscall=11 success=yes exit=0 a0=9563888 a1=9562e40 a2=9562088 a3=0 items=0 ppid=8101 pid=8102 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-12-11 13:50:21 UTC 
This looks like sshd is leaking the file descriptor to the tcp socket?  This socket should not be availble to tools execed by ssh, I believe.

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 2 Tomas Mraz 2008-12-11 20:40:47 UTC 
We already set FD_CLOEXEC on the tcp socket on client. So I am really curious what the tcp socket which is passed to xauth is. I need a 'lsof -c ssh -Z' output generated at the time when you get the AVC.
Comment 3 Matěj Cepl 2008-12-16 14:02:51 UTC 
Tomáš, didn't we resolve on IRC, that it is

vncviewer -via <name> localhost:3

problem?
Comment 4 Tomas Mraz 2008-12-16 14:52:27 UTC 
Yep, the channel sockets have to be FD_CLOEXECed too. The current rawhide already contains the fix.