Bug 390001 - nxserver selinux issue
nxserver selinux issue
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Radek Vokal
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-19 01:39 EST by Need Real Name
Modified: 2008-11-17 17:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:02:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-11-19 01:39:59 EST
When I try to run nx on my freshly installed f8 install, I get the following
error message:
/usr/libexec/nx/nxserver: Permission denied

As part of my troubleshooting, I tried to ssh directly into the nx account (e.g.
ssh nx@target-machine) which gave the same error message.

The corresponding avc error message is:
avc:  denied  { execute } for  pid=5595 comm="sshd" name="nxserver" dev=sda7
ino=2073303 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

Note that nxserver is the shell specified for user nx in the /etc/passwd file
and has the following SELinux context:
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/libexec/nx/nxserver
Comment 1 Roman Danilov 2008-01-04 11:10:13 EST
I had the same same problem, but...

IMHO, some of the following "any-keyed :-)" commands helps me:

# chcon -t bin_t /usr/sbin/sshd
# chcon -t bin_t /usr/libexec/nx/nxserver
# /etc/rc.d/init.d/sshd restart

Try this!
Comment 2 Need Real Name 2008-01-04 11:24:57 EST
I'm a little hesitant about changing the selinux context for a core security
program like sshd since I'm sure the selinux gurus had some good reason for
assigning sshd the context of sshd_exec_t.

Comment 3 Josef Kubin 2008-01-07 20:31:21 EST
fixed, latest packages solving your problem are available here:
http://people.redhat.com/jkubin/selinux/
Comment 4 Need Real Name 2008-01-07 21:58:47 EST
Any idea when these will be rolled into updates?
Thanks
Comment 5 Daniel Walsh 2008-02-26 16:35:29 EST
Fixed in selinux-policy-3.0.8-89.fc8
Comment 6 Tony Fu 2008-10-05 21:27:55 EDT
User jkubin@redhat.com's account has been closed
Comment 7 Daniel Walsh 2008-11-17 17:02:42 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.