Bug 567914

Summary: kdm overwrites ~/.Xauthority with wrong SELinux context on logout
Product: [Fedora] Fedora Reporter: Karel Volný <kvolny>
Component: kdebase-workspaceAssignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 15CC: dwalsh, fedora, fedora, fedora.jrg01, fedora, jreznik, kevin, ltinkl, lukas+fedora, mgrepl, rdieter, rstrode, smparrish, than
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kdebase-workspace-4.7.4-6.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-07 23:02:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
kdmrc none

Description Karel Volný 2010-02-24 10:19:02 UTC 
Description of problem:
Trying to connect via ssh with X forwarding enabled, I get error creating ~/.Xauthority which prevents usage of the remote display - X applications over ssh.

Version-Release number of selected component (if applicable):
xorg-x11-xauth-1.0.2-7.fc12.i686
xorg-x11-xdm-1.1.6-14.fc12.i686
selinux-policy-3.6.32-89.fc12.noarch

How reproducible:
always

Steps to Reproduce:
1. rm ~/.Xauthority
2. log in via xdm
3. log out
4. log in via ssh with X forwarding enabled
  
Actual results:
/usr/bin/xauth:  /home/kavol/.Xauthority not writable, changes will be ignored

X applications can't start

Expected results:
no xauth error reported

X applications start without any troubles

Additional info:
ls -lZ says
-rw-------. kavol kavol system_u:object_r:xdm_home_t:s0  .Xauthority
and after removing the file and re-logging via ssh
-rw-------. kavol kavol unconfined_u:object_r:xauth_home_t:s0 .Xauthority

obviously these two conflict - I report against selinux, as I don't think it is fault of xauth on its own, neither of xdm itself
Comment 1 Daniel Walsh 2010-02-24 16:19:02 UTC 
Are you sure you are using xdm?  It stores its Xauthority files outside of the homedir.
echo $XAUTHORITY 
/var/run/gdm/auth-for-dwalsh-gHE0bI/database
Comment 2 Karel Volný 2010-03-22 06:09:55 UTC 
(In reply to comment #1)
> Are you sure you are using xdm?  It stores its Xauthority files outside of the
> homedir.
> echo $XAUTHORITY 
> /var/run/gdm/auth-for-dwalsh-gHE0bI/database    

ah, right ... I was mistaken by the look of the login screen, in fact it is KDM, sorry

and it seems to put the file in /var too:

$ echo $XAUTHORITY
/var/run/kdm/.XauthnLul61

$ ls -lZ /var/run/kdm/.XauthnLul61
-rw-------. kavol kavol system_u:object_r:xdm_var_run_t:s0 /var/run/kdm/.XauthnLul61

in that case, the question is what else can keep changing the context of ~/.Xauthority? - or else, what fixes need to be done to ssh/xauth to work with the proper context?
Comment 3 Daniel Walsh 2010-03-22 16:22:05 UTC 
Something in kde is creating this file, rather then using the environment variable.

What avc's are you seeing when you login as ssh after logging in with kdm?
Comment 4 Rex Dieter 2010-03-22 16:37:25 UTC 
probably a round-about dup of bug #524583

Make sure you have the following in /etc/kde/kdm/kdmrc:

[X-*-Core]
UserAuthDir=/var/run/kdm
ForceUserAuthDir=true

[General]
AuthDir=/var/run/kdm

(these entries should be included by default, unless you've customized kdmrc)
Comment 5 Steven M. Parrish 2010-03-28 21:46:24 UTC 
Reporter can you please advise if the suggestion in comment #4 solved the issue for you?

Steven M. Parrish
KDE & Packagekit Triager 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 6 Karel Volný 2010-03-31 07:44:18 UTC 
Created attachment 403671 [details]
kdmrc

here is my kdmrc

the mentioned settings are there
Comment 7 Karel Volný 2010-03-31 08:16:16 UTC 
(In reply to comment #3)
> Something in kde is creating this file, rather then using the environment
> variable.
> 
> What avc's are you seeing when you login as ssh after logging in with kdm?    

type=USER_ACCT msg=audit(1270028732.191:41): user pid=1919 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="kavol" exe="/usr/sbin/sshd" hostname=192.168.1.254 addr=192.168.1.254 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1270028732.195:42): user pid=1919 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="kavol" exe="/usr/sbin/sshd" hostname=192.168.1.254 addr=192.168.1.254 terminal=ssh res=success'
type=LOGIN msg=audit(1270028732.196:43): login pid=1919 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=4
type=USER_ROLE_CHANGE msg=audit(1270028732.261:44): user pid=1919 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
type=USER_ROLE_CHANGE msg=audit(1270028732.262:45): user pid=1919 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1270028732.269:46): user pid=1919 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="kavol" exe="/usr/sbin/sshd" hostname=192.168.1.254 addr=192.168.1.254 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1270028732.273:47): user pid=1922 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="kavol" exe="/usr/sbin/sshd" hostname=192.168.1.254 addr=192.168.1.254 terminal=ssh res=success'
type=USER_LOGIN msg=audit(1270028732.463:48): user pid=1919 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=500 exe="/usr/sbin/sshd" hostname=192.168.1.254 addr=192.168.1.254 terminal=/dev/pts/1 res=success'
Comment 8 Daniel Walsh 2010-03-31 13:59:45 UTC 
None of those are AVC messages.  They are regular audit messages.
Comment 9 Daniel Walsh 2010-03-31 14:00:52 UTC 
Remove the .Xauthority record from the homedir, then ssh in, and see what context it gets created with.
Comment 10 Karel Volný 2010-03-31 14:06:44 UTC 
(In reply to comment #8)
> None of those are AVC messages.  They are regular audit messages.    

yeah, true, but that is all I got from audit.log ...

(In reply to comment #9)
> Remove the .Xauthority record from the homedir, then ssh in, and see what
> context it gets created with.    

still the same:

$ ls -lZ ~/.Xauthority 
-rw-------. kavol kavol unconfined_u:object_r:xauth_home_t:s0 /home/kavol/.Xauthority
Comment 11 Daniel Walsh 2010-03-31 14:39:28 UTC 
That is the right label.
Comment 12 Karel Volný 2010-03-31 14:48:45 UTC 
(In reply to comment #11)
> That is the right label.    

ok, then why it gets changed to system_u:object_r:xdm_home_t:s0 ?

is there a (simple) way to setup some "trap" to see what changes the context?
Comment 13 Daniel Walsh 2010-03-31 19:34:49 UTC 
You can put a watch on the file via the audit system

something like

# auditctl -w /home/kavol/.Xauthority     -p w 

You are saying now that the context is correct, if you login via kdm it will change to xdm_home_t.
Comment 14 Karel Volný 2010-04-01 15:32:16 UTC 
hope this is the relevant part of the log - I see when the context changes, but I don't understand what changes it ...

type=USER_AUTH msg=audit(1270141182.670:19342): user pid=1662 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="kavol" exe="/usr/bin/kdm" hostname=? addr=? terminal=:0 res=success'
type=USER_ACCT msg=audit(1270141182.678:19343): user pid=1662 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="kavol" exe="/usr/bin/kdm" hostname=? addr=? terminal=:0 res=success'
type=CRED_ACQ msg=audit(1270141182.818:19344): user pid=1662 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="kavol" exe="/usr/bin/kdm" hostname=? addr=? terminal=:0 res=success'
type=LOGIN msg=audit(1270141182.818:19345): login pid=1662 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=5
type=USER_ROLE_CHANGE msg=audit(1270141182.901:19346): user pid=1662 uid=0 auid=500 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/usr/bin/kdm" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1270141182.907:19347): user pid=1662 uid=0 auid=500 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="kavol" exe="/usr/bin/kdm" hostname=? addr=? terminal=:0 res=success'
type=USER_AUTH msg=audit(1270141642.421:19348): user pid=3123 uid=500 auid=500 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/2 res=failed'
type=USER_AUTH msg=audit(1270141645.691:19349): user pid=3129 uid=500 auid=500 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/2 res=success'
type=USER_ACCT msg=audit(1270141645.697:19350): user pid=3129 uid=500 auid=500 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/2 res=success'
type=USER_START msg=audit(1270141646.338:19351): user pid=3129 uid=500 auid=500 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/2 res=success'
type=CRED_ACQ msg=audit(1270141646.344:19352): user pid=3129 uid=500 auid=500 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/2 res=success'
type=CRED_DISP msg=audit(1270141786.879:19353): user pid=3129 uid=500 auid=500 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/2 res=success'
type=USER_END msg=audit(1270141786.884:19354): user pid=3129 uid=500 auid=500 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/2 res=success'
type=CONFIG_CHANGE msg=audit(1270141789.105:19355): auid=500 ses=5 op="updated rules" path="/home/kavol/.Xauthority" key=(null) list=4 res=1
type=CONFIG_CHANGE msg=audit(1270141789.105:19356): auid=500 ses=5 op="updated rules" path="/home/kavol/.Xauthority" key=(null) list=4 res=1
type=SYSCALL msg=audit(1270141789.105:19357): arch=40000003 syscall=38 success=yes exit=0 a0=bfb0800a a1=bfb0840c a2=bfb0840c a3=bfb0800a items=5 ppid=1662 pid=3268 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=5 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1270141789.105:19357):  cwd="/"
type=PATH msg=audit(1270141789.105:19357): item=0 name="/home/kavol/" inode=132596 dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0
type=PATH msg=audit(1270141789.105:19357): item=1 name="/home/kavol/" inode=132596 dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0
type=PATH msg=audit(1270141789.105:19357): item=2 name="/home/kavol/.Xauthority-n" inode=134145 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00 obj=system_u:object_r:xdm_home_t:s0
type=PATH msg=audit(1270141789.105:19357): item=3 name="/home/kavol/.Xauthority" inode=134143 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:xauth_home_t:s0
type=PATH msg=audit(1270141789.105:19357): item=4 name="/home/kavol/.Xauthority" inode=134145 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00 obj=system_u:object_r:xdm_home_t:s0
type=USER_END msg=audit(1270141789.163:19358): user pid=1662 uid=0 auid=500 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="kavol" exe="/usr/bin/kdm" hostname=? addr=? terminal=:0 res=success'
type=CRED_DISP msg=audit(1270141789.165:19359): user pid=1662 uid=0 auid=500 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="kavol" exe="/usr/bin/kdm" hostname=? addr=? terminal=:0 res=success'
type=AVC msg=audit(1270141792.798:19360): avc:  denied  { write } for  pid=3280 comm="kdm_greet" name="fontconfig" dev=dm-0 ino=40964 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir
type=SYSCALL msg=audit(1270141792.798:19360): arch=40000003 syscall=33 success=no exit=-13 a0=9ffacb0 a1=3 a2=3a971a8 a3=9ffacb0 items=1 ppid=3275 pid=3280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1270141792.798:19360):  cwd="/"
type=PATH msg=audit(1270141792.798:19360): item=0 name="/var/cache/fontconfig" inode=40964 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fonts_t:s0
type=AVC msg=audit(1270141792.798:19361): avc:  denied  { setattr } for  pid=3280 comm="kdm_greet" name="fontconfig" dev=dm-0 ino=40964 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir
type=SYSCALL msg=audit(1270141792.798:19361): arch=40000003 syscall=15 success=no exit=-13 a0=9ffacb0 a1=1ed a2=3a971a8 a3=9ffacb0 items=1 ppid=3275 pid=3280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1270141792.798:19361):  cwd="/"
type=PATH msg=audit(1270141792.798:19361): item=0 name="/var/cache/fontconfig" inode=40964 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fonts_t:s0
type=USER_AUTH msg=audit(1270141927.880:19362): user pid=3275 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="kavol" exe="/usr/bin/kdm" hostname=? addr=? terminal=:0 res=success'
Comment 15 Daniel Walsh 2010-04-01 16:33:27 UTC 
Yes that shows kdm is the one changing the file.

Looks like /usr/bin/kdm is replacing the correctly labeled .Xauthority file with one labeled xdm_home_t.   xdm_home_t is the default label for all files created by xdm_t in the users homedir.  It is supposed to only create .xsession_errors and maybe .dmrc.

Since kdm is creating the Xauthority file i n/var/lib, why is it still creating the file in the homedir?
Comment 16 Rex Dieter 2010-04-01 17:35:14 UTC 
Ugh, it would appear that kdm will use a ~/.Xauthority file, if present, else will create one in /var/run/kdm as specified in kdmrc.
Comment 17 Rex Dieter 2010-04-01 17:43:30 UTC 
hrm, maybe not, I have,

$ ls -Z ~/.Xauthority 
-rw-------. rdieter1 rdieter1 unconfined_u:object_r:xauth_home_t:s0 /home/rdieter1/.Xauthority

and
$ ls -Z /var/run/kdm/.Xauth*
-rw-------. rdieter1 rdieter1 system_u:object_r:xdm_var_run_t:s0 /var/run/kdm/.XauthceGWGG


So, I guess I can't reproduce this.
Comment 18 Steven M. Parrish 2010-05-05 11:19:29 UTC 
Thanks for the report.  This needs to be reported to the upstream developers.  Please file a report at http://bugs.kde.org  Then add the upstream bug information to this report.  We will monitor the upstream report for a resolution.

Thanks
Comment 19 Karel Volný 2010-06-18 11:14:09 UTC 
I've just submitted the upstream bug:
Bug 242065 -  kdm overwrites ~/.Xauthority with wrong SELinux context on logout

The bug appears also in recent kdm-4.4.4-1.fc13, so updating the product version.
Comment 20 Rex Dieter 2010-06-18 11:57:08 UTC 
adjusting component/summary.
Comment 21 John Griffiths 2010-11-20 05:57:19 UTC 
Also in kdm-4.5.3-3.fc14.i686.
Comment 22 Lukas Middendorf 2011-04-26 09:50:38 UTC 
Still present in kdm-4.6.2-2.fc14.x86_64 . And it looks like we can not expect any fix from upstream.

It's quite annoying that I have to run "resorecon ~/.Xauthority" and "rm ~/.Xauthority-*" and disconnect/connect again to get X forward working.
Comment 23 Daniel Walsh 2011-04-26 14:52:31 UTC 
Well I just added a fix to F16 that will cause xdm_t to create .Xauthority with the correctly label.

F14,F15 also run a processes call restorecond that watches for user creation of files in the homedir and fixes the label.

You could also run the restorecond service and add the path to this file, which will relabel it if it gets created with the wrong label.

/etc/selinux/restorecond.conf or /etc/selinux/restorecond_user.conf.
Comment 24 John Griffiths 2011-04-26 17:00:09 UTC 
(In reply to comment #23)
> Well I just added a fix to F16 that will cause xdm_t to create .Xauthority with
> the correctly label.
> 
> F14,F15 also run a processes call restorecond that watches for user creation of
> files in the homedir and fixes the label.
> 
> You could also run the restorecond service and add the path to this file, which
> will relabel it if it gets created with the wrong label.
> 
> /etc/selinux/restorecond.conf or /etc/selinux/restorecond_user.conf.

Dan,
Will etc/selinux/restorecond.conf or /etc/selinux/restorecond_user.conf accept wildcards as part of the path and not as the file? Like:

/home/*/.Xauthority
Comment 25 Daniel Walsh 2011-04-26 18:00:02 UTC 
~/.Xauthority

I believe is the correct syntax
Comment 26 Lukas Middendorf 2011-04-29 18:29:19 UTC 
I added "~/.Xauthority" to restorecond_user.conf and the full path to restorecond.conf, activated the restorecond service and logged out.

Does not seem to help. Still had the problem with ssh and X forward.
Comment 27 Bug Zapper 2011-06-02 16:25:51 UTC 
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 28 Karel Volný 2011-06-16 12:28:27 UTC 
the problem is still there:

$ ls -lZ ~/.Xauthority 
-rw-------. kvolny kvolny system_u:object_r:xdm_home_t:s0  /home/kvolny/.Xauthority

- there is xdm_home_t instead of xauth_home_t

according to comment #23 this is going to be fixed in F16, so updating version to F15 to keep this open
Comment 29 Rick 2012-01-03 01:22:37 UTC 
I can confirm this bug still happens with the latest KDM version in Fedora 16.

I have 2 F16 machines, and as long as I've logged in using KDM, my ~/.Xauthority file has the following context:

system_u:object_r:xdm_home_t:s0

If I manually change the context to:

unconfined_u:object_r:xauth_home_t:s0

via chcon as a regular user, I am able to remotely log in via SSH and launch applications over the forwarded tunnel correctly.  Apps launched during the running desktop session work correctly as well.

TL;DR: Bug still exists.  My kdmrc contains the recommended options as outlined in comment #4.
Comment 30 Miroslav Grepl 2012-01-03 07:07:48 UTC 
Could you try to remove the .Xauthority record from the homedir, then ssh in, and see what context it gets created with.
Comment 31 John Griffiths 2012-01-03 15:12:19 UTC 
The wrong context is being set by the normal login. I use kde as the desktop manager and my desktop. Don't know whether this also happens with gnome.

When I log in using ssh, I get:

     usr/bin/xauth:  /home/jrg3/.Xauthority not writable, changes will be ignored

I then remove .Xauthority-l and .Xauthority-c and run restorecon on .Xauthority.

     restorecon -v .Xauthority 
     restorecon reset /home/jrg3/.Xauthority context 
         system_u:object_r:xdm_home_t:s0->system_u:object_r:xauth_home_t:s0

Then I exit and re-connect using ssh and get no complaints about .Xauthority again until I log in using the desktop. Once I log in using the desktop, I have to repeat the process if I want to ssh to the host.
Comment 32 Rex Dieter 2012-01-03 15:42:31 UTC 
So, here on my box, kde doesn't create or touch ~/.Xauthority at all.

What happens for me, is I get this set on login:
XAUTHORITY=/tmp/kde-rdieter1/xauth-1482-_0

now, hrm... a little surprising, since kdmrc contains
UserAuthDir=/var/run/kdm
ForceUserAuthDir=true
I'd expect that to get used... (but let's deal with that oddity separately).

Point is... remote ssh connections, obviously don't know about any local XAUTHORITY env var.  My best guess is that ssh/sshd tries to fall back to using ~/.Xauthority , and *that* is the fail here.
Comment 33 Daniel Walsh 2012-01-03 16:37:58 UTC 
When you remove the ~/.Xauthority file from your homedir, and login on F16, if the file is created by xdm_t it should be created as xauth_home_t, if a temporary file is created and then renamed, we might be missing this. 

If you remove the ~/.Xauthority file and login for the first time with sshd_t, what context does it get?

Miroslav we might want to add
	xserver_filetrans_home_content(sshd_t)

if sshd is creating this file rather then a process being run as a user context.
Comment 34 Rex Dieter 2012-01-03 16:59:42 UTC 
On my f16 box,

$ rm -f ~/.Xauthority

$ ssh -X localhost

/usr/bin/xauth: file /home/rdieter1/.Xauthority does not exist
$ ls -lZ .Xauthority
-rw-------. rdieter1 rdieter1 unconfined_u:object_r:xauth_home_t:s0 .Xauthority
Comment 35 Rick 2012-01-03 18:41:42 UTC 
(In reply to comment #30)
> Could you try to remove the .Xauthority record from the homedir, then ssh in,
> and see what context it gets created with.

[vector@dirty ~]$ rm .Xauthority 
[vector@dirty ~]$ ssh -X localhost
Last login: Tue Jan  3 10:30:15 2012 from localhost
/usr/bin/xauth:  file /home/vector/.Xauthority does not exist
[vector@dirty ~]$ ls -Z .Xauthority 
-rw-------. vector vector unconfined_u:object_r:xauth_home_t:s0 .Xauthority

Same as Rex in comment #34.  

(In reply to comment #32)
> Point is... remote ssh connections, obviously don't know about any local
> XAUTHORITY env var.  My best guess is that ssh/sshd tries to fall back to using
> ~/.Xauthority , and *that* is the fail here.

Specifically, I think it's the xauth binary falling back to using $HOME/.Xauthority, as that's the listed fallback if XAUTHORITY environment variable isn't set, which when you SSH into a machine, it is NOT.

It looks like when I ssh into a machine with X11 forwarding turned on, XAUTHORITY isn't set AT ALL.

[vector@dirty ~]$ env | grep XAUTH
XAUTHORITY=/tmp/kde-vector/xauth-1000-_0
[vector@dirty ~]$ ssh -X localhost
             
Last login: Tue Jan  3 10:30:28 2012 from localhost

[vector@dirty ~]$ env | grep XAUTH
[vector@dirty ~]$ 

So it looks like KDM or some other binary is setting the XAUTHORITY var.

When I tried adding the contents of that var into my .bash_profile, X11 forwarding via SSH stopped working entirely.  not sure why, not even sure if it's relevant, but there you go.
Comment 36 Daniel Walsh 2012-01-03 18:44:06 UTC 
So kdm is somehow replacing this file with one that is labeled xdm_home_t?
Comment 37 John Griffiths 2012-01-03 18:48:40 UTC 
kdm sets .Xauthority to:

     system_u:object_r:xauth_home_t:s0 .Xauthority

ssh set .Xauthority to:

     unconfined_u:object_r:xauth_home_t:s0 .Xauthority
Comment 38 Rex Dieter 2012-01-03 18:49:41 UTC 
I asserted in comment #32 that kdm isn't touching ~/.Xauthority by default *at all*.  Is there evidence to the contrary?
Comment 39 Rick 2012-01-03 18:55:25 UTC 
(In reply to comment #38)
> I asserted in comment #32 that kdm isn't touching ~/.Xauthority by default *at
> all*.  Is there evidence to the contrary?

Yes, sort of..  

I think I might have gotten a small clue on the matter...

I installed GDM and set it as my default greeter on my main workstation.  Via a remote SSH session from my laptop, I removed the .Xauthority file, and then watched it via 'watch ls -lZ ~/.Xauthority'.

I logged in from a GDM session to my KDE plasma workspace.  Then I logged out.  The entire time, .Xauthority was NOT recreated.  Then I set my greeter back to KDM.  I logged in to my KDE Plasma workspace, and still no file was created..

However, when I logged out this time, it created my .Xauthority file with the buggy context: system_u:object_r:xdm_home_t:s0

So it appears related to using KDM as the display manager and KDE as the default desktop.  

I'm about to try Gnome 3 with both KDM and GDM to see if that's doing anything weird either.
Comment 40 Rex Dieter 2012-01-03 19:02:20 UTC 
OK, well I'll be darned, it does get set... on *logout*.  wtf.  I'll have to track where that's coming from.
Comment 41 Rick 2012-01-03 19:14:01 UTC 
I now realize this data was known after re-reading the bug report..  But still, I think I know _why_ it's doing that..  I presume that since KDE+KDM set the XAUTHORITY variable somewhere other than a known default, that once a user logs out, it's trying to re-establish a sane default.  It's simply doing so using a system_u instead of unconfined_u, which no doubt is because of the context in which KDM runs.  

BTW, I tried LXDE and KDM, and the issue persists, but LXDE and GDM does not, so it's most definitely KDM doing this.
Comment 42 Rex Dieter 2012-01-03 19:46:24 UTC 
Dan, ok, I found 2 cases that we should handle better,

In cases where kdm indeed still tries to use ~/.Xauthority , it does indeed use a write+rename to save it.

There's also a bug outlined in the past couple of comments where even if 
ForceUserAuthDir=true
is set, on logout, a ~/.Xauthority gets created for the sole (?) purpose of clearing all current/active auths, so it ends up being empty anyway.
Comment 43 Rex Dieter 2012-01-03 19:47:30 UTC 
And, if it wasn't clear, I'll definitely tackle fixing item 2, is 1 something that can be fixed via policy, or is there something I should be doing there too?
Comment 44 Rick 2012-01-03 19:59:00 UTC 
I'm a little new to using Redhat's bugzilla, but I'd really like to help out with this, if nothing else, testing fixes.  What should I be doing to get ready to help?
Comment 45 Daniel Walsh 2012-01-03 20:34:49 UTC 
Rex, what is the name of the temporary file that is created for .Xauthority.  If the name is fixed, we can write policy for it.  For example.

.Xauthority.new or .Xauthority~

If it is random, then we won't be able to fix this as easily.
Comment 46 Rex Dieter 2012-01-03 21:03:36 UTC 
Dan, 
looks like the code appends "-n" for the temporary name, so ~/.Xauthority-n


Test builds on the way with an initial workaround patch for the latter item in comment #42 : 

f16: http://koji.fedoraproject.org/koji/buildinfo?buildID=280874

f15: http://koji.fedoraproject.org/koji/buildinfo?buildID=280875
Comment 47 Karel Volný 2012-01-03 21:18:55 UTC 
<unuseful_comment>
nice to see some progress here, thanks!

- one would be a bit saddened looking at the upstream bugreport (except for the latest comments from Rex, btw nice filename in the patch :))
</unuseful_comment>
Comment 48 Fedora Update System 2012-01-03 21:48:43 UTC 
kdebase-workspace-4.6.5-8.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/kdebase-workspace-4.6.5-8.fc15
Comment 49 Fedora Update System 2012-01-03 21:49:22 UTC 
kdebase-workspace-4.7.4-6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kdebase-workspace-4.7.4-6.fc16
Comment 50 Rick 2012-01-03 22:24:50 UTC 
(In reply to comment #46)
> Dan, 
> looks like the code appends "-n" for the temporary name, so ~/.Xauthority-n
> 
> 
> Test builds on the way with an initial workaround patch for the latter item in
> comment #42 : 
> 
> f16: http://koji.fedoraproject.org/koji/buildinfo?buildID=280874
> 
> f15: http://koji.fedoraproject.org/koji/buildinfo?buildID=280875

Rex, I can verify that I've seen the ~/.Xauthority-n file before, I just can't remember how I triggered its creation.  I also recall seeing an ~/.Xauthority-l and ~/.Xauthority-c file and I'm unsure what/where/why that got created.  I also haven't seen it _lately_, so it could've been a hold-over from restoring my home directory from a backup or something.

I just applied the fixes from Rex's Koji build, and the problem appears to have disappeared.  ~/.Xauthority is no longer being created on logout.  i'm using kdm-4.7.4-6.fc16.x86_64, KDE as my desktop, and KDM as my greeter.   Works!

The only little iffy bit was when I installed the packages to begin with, and then went to init 3 and then init 5 to reload the KDM binary, I lost networking.  Reboot fixed it.  Not sure if it's related to the new packages or how I restarted KDM, but thought I'd put that out there.
Comment 51 Fedora Update System 2012-01-04 01:58:39 UTC 
Package kdebase-workspace-4.7.4-6.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kdebase-workspace-4.7.4-6.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0083/kdebase-workspace-4.7.4-6.fc16
then log in and leave karma (feedback).
Comment 52 John Griffiths 2012-01-04 12:04:28 UTC 
~/.Xauthority-l and ~/.Xauthority-c file are used in locking the .Xauthority file. 

It is my experience that if .Xauthority is writable and a lock acquired then they get removed. They will be present when the .Xauthority file is not writable because of the problem discussed in this bug. If .Xauthority is not writable then those files will not be removed.
Comment 53 Rick 2012-01-05 20:30:59 UTC 
(In reply to comment #52)
> ~/.Xauthority-l and ~/.Xauthority-c file are used in locking the .Xauthority
> file. 
> 
> It is my experience that if .Xauthority is writable and a lock acquired then
> they get removed. They will be present when the .Xauthority file is not
> writable because of the problem discussed in this bug. If .Xauthority is not
> writable then those files will not be removed.

Thanks for the pro-tip John!

Also, I tested this on both my 32 and 64 bit systems, and everything seems to work correctly.  I added my Karma to the fix.
Comment 54 Fedora Update System 2012-01-07 23:02:23 UTC 
kdebase-workspace-4.7.4-6.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 55 Fedora Update System 2012-01-19 01:37:32 UTC 
kdebase-workspace-4.6.5-8.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.