119204 – ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohibited by policy

Bug 119204 - ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohibited by policy

Summary: ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohi...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xinitrc
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	X/OpenGL Maintenance List
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	119506 (view as bug list)
Depends On:	119503
Blocks:
TreeView+	depends on / blocked

Reported:	2004-03-26 11:28 UTC by Aleksey Nogin
Modified:	2007-11-30 22:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-10-22 14:35:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aleksey Nogin 2004-03-26 11:28:53 UTC

If the session is _not_ Gnome, kdm's /usr/share/config/kdm/Xsession
redirects the stdout and stderr to $HOME/.xsession-errors, which has
the default type user_home_t (or staff_home_t). The current policy
(1.9-15) would not allow such a file to be written to be certain
programs. In particular, 

- ssh-agent is unable to write to it, which causes it to start using
up all the CPU time

- utemper is unable to write to it, so it fails to list the user's
session in utmp.

I believe that the best solution woukd be to change 
/usr/share/config/kdm/Xsession to use a file in /tmp, not
$HOME/.xsession-errors. Alternatively, the policy could be changed to
mark the $HOME/.xsession-errors specially. Finally, a possible
solution would be to grant utemper and ssh-agent write/append
permissions to arbitrary user files, but I am not sure this is a good
idea.

Comment 1 Daniel Walsh 2004-03-31 03:32:49 UTC

I am changing  policy for xdm to dontaudit on writes to the $1_home_t,
which should cause the xsession-errors file to be created on /tmp.

Dan

Comment 2 Aleksey Nogin 2004-03-31 03:42:29 UTC

Will the xauth stuff still work? Just making sure.

Comment 3 Daniel Walsh 2004-03-31 04:01:26 UTC

Well that actually looks like a bug also.  Seems xdm is not
transitioning to xauth_t, to allow it to write to the home dir.  So I
am  trying to fix that also.  If the transition happens properly
xauth_t can write to the home dir and xdm will fail forcing it to
write to /tmp dir.  
I believe that is the way it should work.

Dan

Comment 4 Aleksey Nogin 2004-03-31 05:36:23 UTC

What about utemper? I am getting 

audit(1080711300.469:0): avc:  denied  { getattr } for  pid=27008
exe=/usr/sbin/utempter path=/tmp/xses-aleksey.OU2533 dev=hda2
ino=343507 scontext=aleksey:staff_r:utempter_t
tcontext=aleksey:object_r:staff_tmp_t tclass=file

and I was getting similar write denied messages until I added an allow
for them.

Comment 5 Than Ngo 2004-04-01 12:00:31 UTC

kdebase just uses Xsession file in xinitrc. It assign it to correct
component

Comment 6 Aleksey Nogin 2004-04-01 12:29:12 UTC

*** Bug 119506 has been marked as a duplicate of this bug. ***

Comment 7 Tim Waugh 2004-04-21 13:13:01 UTC

It would be nice if this could go in the release notes (the fact that
your .xsession-errors in now in /tmp).

Comment 8 Mike A. Harris 2004-10-05 11:39:57 UTC

Please try Fedora Core 3 test 2 or later, as this problem may
be fixed now.  If the problem persists, please update the status.

Thanks in advance.

Note You need to log in before you can comment on or make changes to this bug.