Bug 119204 – ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohibited by policy

Bug 119204 - ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohibited by policy

Summary:	ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohi...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	xinitrc (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	X/OpenGL Maintenance List
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:	SELinux

Duplicates:	119506 (view as bug list)
Depends On:	119503
Blocks:
	Show dependency tree / graph

Reported:	2004-03-26 06:28 EST by Aleksey Nogin
Modified:	2007-11-30 17:10 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-10-22 10:35:22 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Aleksey Nogin 2004-03-26 06:28:53 EST

If the session is _not_ Gnome, kdm's /usr/share/config/kdm/Xsession
redirects the stdout and stderr to $HOME/.xsession-errors, which has
the default type user_home_t (or staff_home_t). The current policy
(1.9-15) would not allow such a file to be written to be certain
programs. In particular, 

- ssh-agent is unable to write to it, which causes it to start using
up all the CPU time

- utemper is unable to write to it, so it fails to list the user's
session in utmp.

I believe that the best solution woukd be to change 
/usr/share/config/kdm/Xsession to use a file in /tmp, not
$HOME/.xsession-errors. Alternatively, the policy could be changed to
mark the $HOME/.xsession-errors specially. Finally, a possible
solution would be to grant utemper and ssh-agent write/append
permissions to arbitrary user files, but I am not sure this is a good
idea.

Comment 1 Daniel Walsh 2004-03-30 22:32:49 EST

I am changing  policy for xdm to dontaudit on writes to the $1_home_t,
which should cause the xsession-errors file to be created on /tmp.

Dan

Comment 2 Aleksey Nogin 2004-03-30 22:42:29 EST

Will the xauth stuff still work? Just making sure.

Comment 3 Daniel Walsh 2004-03-30 23:01:26 EST

Well that actually looks like a bug also.  Seems xdm is not
transitioning to xauth_t, to allow it to write to the home dir.  So I
am  trying to fix that also.  If the transition happens properly
xauth_t can write to the home dir and xdm will fail forcing it to
write to /tmp dir.  
I believe that is the way it should work.

Dan

Comment 4 Aleksey Nogin 2004-03-31 00:36:23 EST

What about utemper? I am getting 

audit(1080711300.469:0): avc:  denied  { getattr } for  pid=27008
exe=/usr/sbin/utempter path=/tmp/xses-aleksey.OU2533 dev=hda2
ino=343507 scontext=aleksey:staff_r:utempter_t
tcontext=aleksey:object_r:staff_tmp_t tclass=file

and I was getting similar write denied messages until I added an allow
for them.

Comment 5 Ngo Than 2004-04-01 07:00:31 EST

kdebase just uses Xsession file in xinitrc. It assign it to correct
component

Comment 6 Aleksey Nogin 2004-04-01 07:29:12 EST

*** Bug 119506 has been marked as a duplicate of this bug. ***

Comment 7 Tim Waugh 2004-04-21 09:13:01 EDT

It would be nice if this could go in the release notes (the fact that
your .xsession-errors in now in /tmp).

Comment 8 Mike A. Harris 2004-10-05 07:39:57 EDT

Please try Fedora Core 3 test 2 or later, as this problem may
be fixed now.  If the problem persists, please update the status.

Thanks in advance.

Note You need to log in before you can comment on or make changes to this bug.