Bug 756936

Summary: X can't forward through ssh
Product: [Fedora] Fedora Reporter: Vasiliy Glazov <vascom2>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-84.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-22 03:35:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Selinux log none

Description Vasiliy Glazov 2011-11-25 08:19:50 UTC 
Description of problem:
Then I'am try connect though ssh -X
I see message
/home/vascom/.Xauthority not writable, changes will be ignored

and can't run any gui program.

I found that change permissions not help but disabling (enforce 0) selinux solve problem.
I can't find any selinux warnings in /var/log/audit/audit.log or /var/log/audit/messages.log

Version-Release number of selected component (if applicable):
libselinux-python-2.1.6-4.fc16.x86_64
libselinux-utils-2.1.6-4.fc16.x86_64
selinux-policy-targeted-3.10.0-56.fc16.noarch
libselinux-devel-2.1.6-4.fc16.x86_64
selinux-policy-3.10.0-56.fc16.noarch
libselinux-2.1.6-4.fc16.x86_64


How reproducible:
Always

Steps to Reproduce:
ssh -X to Fedora 16
  
Please, correct this problem.
Comment 1 Miroslav Grepl 2011-11-28 09:05:26 UTC 
If you execute

# restorecon -R -v /home/vascom/.Xauthority

does it fix the issue?
Comment 2 Vasiliy Glazov 2011-11-30 15:08:31 UTC 
No, it not fix problem.
Comment 3 Miroslav Grepl 2011-12-02 10:19:07 UTC 
Ok,
could you execute on the server

# setenforce 0
# semodule -DB

try to ssh -X to this server

# ausearch -m avc -ts recent > ssh_selinux.log
# semodule -B

And attach this log please. Also could you add outputs of

# ls -Z /home/vascom/.Xauthority

# matchpathcon /home/vascom/.Xauthority
Comment 4 Vasiliy Glazov 2012-03-15 16:38:07 UTC 
Created attachment 570350 [details]
Selinux log

ls -Z /home/vascom/.Xauthority
-rw-------. vascom vascom system_u:object_r:xdm_home_t:s0  /home/vascom/.Xauthority

matchpathcon /home/vascom/.Xauthority
/home/vascom/.Xauthority        unconfined_u:object_r:xauth_home_t:s0
Comment 5 Daniel Walsh 2012-03-16 15:53:07 UTC 
Miroslav did we back port all of the file trans rules from F17 into F16?

 sesearch -T -s xdm_t -t user_home_dir_t | grep Xauth
WARNING: Policy would be downgraded from version 27 to 26.
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauth"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-c"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-l"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority";
Comment 6 Miroslav Grepl 2012-03-19 14:11:40 UTC 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-c"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-l"; 

is missing.
Comment 7 Fedora Update System 2012-04-18 12:53:39 UTC 
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 8 Fedora Update System 2012-04-22 03:35:50 UTC 
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.