Bug 119204 - ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohibited by policy
ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohi...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xinitrc (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: X/OpenGL Maintenance List
Ben Levenson
: SELinux
: 119506 (view as bug list)
Depends On: 119503
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-26 06:28 EST by Aleksey Nogin
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-22 10:35:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleksey Nogin 2004-03-26 06:28:53 EST
If the session is _not_ Gnome, kdm's /usr/share/config/kdm/Xsession
redirects the stdout and stderr to $HOME/.xsession-errors, which has
the default type user_home_t (or staff_home_t). The current policy
(1.9-15) would not allow such a file to be written to be certain
programs. In particular, 

- ssh-agent is unable to write to it, which causes it to start using
up all the CPU time

- utemper is unable to write to it, so it fails to list the user's
session in utmp.

I believe that the best solution woukd be to change 
/usr/share/config/kdm/Xsession to use a file in /tmp, not
$HOME/.xsession-errors. Alternatively, the policy could be changed to
mark the $HOME/.xsession-errors specially. Finally, a possible
solution would be to grant utemper and ssh-agent write/append
permissions to arbitrary user files, but I am not sure this is a good
idea.
Comment 1 Daniel Walsh 2004-03-30 22:32:49 EST
I am changing  policy for xdm to dontaudit on writes to the $1_home_t,
which should cause the xsession-errors file to be created on /tmp.

Dan
Comment 2 Aleksey Nogin 2004-03-30 22:42:29 EST
Will the xauth stuff still work? Just making sure.
Comment 3 Daniel Walsh 2004-03-30 23:01:26 EST
Well that actually looks like a bug also.  Seems xdm is not
transitioning to xauth_t, to allow it to write to the home dir.  So I
am  trying to fix that also.  If the transition happens properly
xauth_t can write to the home dir and xdm will fail forcing it to
write to /tmp dir.  
I believe that is the way it should work.

Dan
Comment 4 Aleksey Nogin 2004-03-31 00:36:23 EST
What about utemper? I am getting 

audit(1080711300.469:0): avc:  denied  { getattr } for  pid=27008
exe=/usr/sbin/utempter path=/tmp/xses-aleksey.OU2533 dev=hda2
ino=343507 scontext=aleksey:staff_r:utempter_t
tcontext=aleksey:object_r:staff_tmp_t tclass=file

and I was getting similar write denied messages until I added an allow
for them.
Comment 5 Ngo Than 2004-04-01 07:00:31 EST
kdebase just uses Xsession file in xinitrc. It assign it to correct
component
Comment 6 Aleksey Nogin 2004-04-01 07:29:12 EST
*** Bug 119506 has been marked as a duplicate of this bug. ***
Comment 7 Tim Waugh 2004-04-21 09:13:01 EDT
It would be nice if this could go in the release notes (the fact that
your .xsession-errors in now in /tmp).
Comment 8 Mike A. Harris 2004-10-05 07:39:57 EDT
Please try Fedora Core 3 test 2 or later, as this problem may
be fixed now.  If the problem persists, please update the status.

Thanks in advance.

Note You need to log in before you can comment on or make changes to this bug.