Bug 730185

Summary: SELinux is preventing /usr/bin/xauth from 'read' accesses on the directory /etc/samba.
Product: [Fedora] Fedora Reporter: nextgeneration422
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl, nextgeneration422
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:c5ae36049f3ed2de7b70c8dbb31e3e206c9387fc1f952e639c241096dc2e9319
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-07 14:56:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description nextgeneration422 2011-08-12 03:59:06 UTC 
SELinux is preventing /usr/bin/xauth from 'read' accesses on the directory /etc/samba.

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore xauth trying to read access the samba directory, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/xauth /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that xauth should be allowed read access on the samba directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xauth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
Target Context                system_u:object_r:samba_etc_t:s0
Target Objects                /etc/samba [ dir ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xorg-x11-xauth-1.0.2-9.fc15
Target RPM Packages           samba-common-3.5.8-68.fc15.1
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.i686.PAE #1 SMP
                              Fri Jul 29 18:47:58 UTC 2011 i686 i686
Alert Count                   24
First Seen                    Fri 12 Aug 2011 04:00:58 AM IST
Last Seen                     Fri 12 Aug 2011 09:23:07 AM IST
Local ID                      d0636f1f-c308-4c1f-890b-647b8edb13aa

Raw Audit Messages
type=AVC msg=audit(1313121187.522:169): avc:  denied  { read } for  pid=3528 comm="xauth" path="/etc/samba" dev=dm-2 ino=1836291 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir


type=SYSCALL msg=audit(1313121187.522:169): arch=i386 syscall=execve success=yes exit=0 a0=bffbebda a1=9c1cab0 a2=9bf6848 a3=9c1cab0 items=0 ppid=3506 pid=3528 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=8 comm=xauth exe=/usr/bin/xauth subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)

Hash: xauth,xauth_t,samba_etc_t,dir,read

audit2allow

#============= xauth_t ==============
allow xauth_t samba_etc_t:dir read;

audit2allow -R

#============= xauth_t ==============
allow xauth_t samba_etc_t:dir read;
Comment 1 Daniel Walsh 2011-08-12 10:23:21 UTC 
What were you doing when you saw this avc?
Comment 2 nextgeneration422 2011-08-12 19:22:45 UTC 
(In reply to comment #1)
> What were you doing when you saw this avc?

Mr daniel,I am new in linux and bugzilla too so,at the time of sending bug reports I could not sent all the details and for that I am very sorry for that.

Now I am sending all the details read it minutely.-----


       I sent the deatails to understand it very clearly.The engineers of Red hat/Fedora or the developer of this software which is responsible for this bug are requested to solve the problem as soon as possible.I am new user of linux(Fedora)so,I did not know how to send bug report and how to see a bug report.

       After downloading fedora 15 (http://torrent.fedoraproject.org/------->Fedora 15------->Fedora-15-i386-DVD.torrent)I installed Fedora 15 dvd with Kde,Gnome and Xfce desktop,I took update 1 by 1 and in that time I got the first bug but can not remember particularly which software made the first bug.Total I got 2 bugs.I got the 2nd bug at the time of clamav auto configure.

        For these 2 bugs my system got crashed.When I installed Fedora 15 in my desktop computer,to log in my desktop computer I was asked to enter passpharase in my computer and after paspharase I had to enter user(standard) password/user (admin)password/root password and I have 2 users but after getting these 2 bugs I could see that I do not need to enter any password to login my desktop and after shut down when I am trying to start my desktop computer,I need only passphrase to login my desktop and can see the last user in the user list got autometically login without any password.

       After entering in last user desktop if I need to start another user session then I need to logout from this user and loin desktop by other user and in that time I can see that particular password for the particular user not working means some times I can see the particular password of the 1st user if I enter in 1st user field I am getting the 2nd user desktop so,I think those bugs have destroyed my password system so,please you are requested to solve the problem fast because my system is behaving like a mad.All are requested to read these paragraph carefully to know the problem clearly.

To understand this bug you have to see my first bug report id=722747,In my 1st bug report Mr.Daniel Walsh--you have written that your working on it.


So,My first bug id number is 722747  and  2nd bug id number is 730185.

Mr daniel and all the engineers of the fedor please tell me what should I do now?means to reinstall fedora 15 or to wait for new updates.

Again I am telling sory because a number of times i sent same bugs because I did not know how to send bugs because I was the user of Microsoft Operating System and there is no bug reporting system in Microsoft,all will be done in microsoft autometically.
Comment 3 Daniel Walsh 2011-08-29 17:07:34 UTC 
I don't think either of these bugs is related to you not being able to login.