Bug 476554

Summary: (staff_u) SELinux is preventing the ssh from using potentially mislabeled files (X0).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, mgrepl, tmraz
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: selinux-policy-3.5.13-35.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-15 10:40:28 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Matěj Cepl 2008-12-15 10:57:52 EST
when connecting to the remote computer from the computer as staff_u user with
ssh -Y hubmaier.local and starting X-based app on the remote computer I got this error:

[matej@viklef ~]$ ssh -Y root@hubmaier.local
root@hubmaier.local's password: 
Last login: Mon Dec 15 16:54:38 2008 from
[root@hubmaier ~]# gedit
connect /tmp/.X11-unix/X0: Permission denied

(gedit:5375): Gtk-WARNING **: cannot open display: localhost:11.0
[root@hubmaier ~]# 

and this AVC denial message:

SELinux is preventing the ssh from using potentially mislabeled files (X0).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux has denied ssh access to potentially mislabeled file(s) (X0). This means
that SELinux will not allow ssh to use these files. It is common for users to
edit files in their home directory or tmp directories and then move (mv) them to
system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Povolení přístupu:

If you want ssh to access this files, you need to relabel them using restorecon
-v 'X0'. You might want to relabel the entire directory using restorecon -R -v '<Unknown>'.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_ssh_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:xdm_xserver_tmp_t
Objekty cíle                 X0 [ sock_file ]
Zdroj                         ssh
Cesta zdroje                  /usr/bin/ssh
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          openssh-clients-5.1p1-4.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-34.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     home_tmp_bad_labels
Název počítače            viklef
Platforma                     Linux viklef #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Po 15. prosinec 2008, 16:46:44 CET
Naposledy viděno             Po 15. prosinec 2008, 16:46:44 CET
Místní ID                   b36626e5-6ea0-4636-a238-94a226f411a3
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1229356004.728:13122): avc:  denied  { write } for  pid=22184 comm="ssh" name="X0" dev=tmpfs ino=2995335 scontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_xserver_tmp_t:s0 tclass=sock_file

node=viklef type=AVC msg=audit(1229356004.728:13122): avc:  denied  { connectto } for  pid=22184 comm="ssh" path="/tmp/.X11-unix/X0" scontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=viklef type=SYSCALL msg=audit(1229356004.728:13122): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf979560 a2=b807cd48 a3=7 items=0 ppid=21795 pid=22184 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1938 comm="ssh" exe="/usr/bin/ssh" subj=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-12-15 12:16:33 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-35.fc10
Comment 2 Fedora Admin XMLRPC Client 2009-03-10 06:15:42 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.