Bug 553174

Summary: When running nxclient-3.40-5 selinux alert message pops up.
Product: [Fedora] Fedora Reporter: Marcin <marcin.wolyniak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.6.32-69.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-19 19:41:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux alert autmatically generated none

Description Marcin 2010-01-07 10:21:04 UTC 
Description of problem:
When running nxclient-3.40-5 selinux alert message pops up.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.32-63.fc12, but every version form release of F122 has this bug

How reproducible:
every run of nxclient

Steps to Reproduce:
1. Install nxclient-3.4.0-5 from nomachine.com.
2. Configure connection settings
3. Run the client.
4. Selinux alert pops up. But program runs successfully.
  
Actual results:
Selinux alert pops up. But Nxclient runs successfully

Expected results:
No selinux alert

Additional info:
following local policy seems to cure the problem:

require {
	type xauth_t;
	type xserver_t;
	class unix_stream_socket connectto;
}

#============= xauth_t ==============
allow xauth_t xserver_t:unix_stream_socket connectto;
Comment 1 Marcin 2010-01-07 10:22:41 UTC 
Created attachment 382190 [details]
selinux alert autmatically generated
Comment 2 Daniel Walsh 2010-01-07 15:02:26 UTC 
Yes this AVC does not block anything.  Notice the success=yes, This means the access was granted,  The kernel probably used a different code path.



Miroslav, need to add 

allow xauth_t xserver_t:unix_stream_socket connectto;
Comment 3 Miroslav Grepl 2010-01-08 13:08:14 UTC 
Fixed in selinux-policy-3.6.32-68.fc12.noarch
Comment 4 Fedora Update System 2010-01-12 23:27:49 UTC 
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0362
Comment 5 Fedora Update System 2010-01-19 19:40:39 UTC 
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.