Bug 417721 - Slew of selinux errors generated by freenx
Slew of selinux errors generated by freenx
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Radek Vokal
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-10 01:59 EST by Need Real Name
Modified: 2008-11-17 17:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:02:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-12-10 01:59:07 EST
Description of problem:
Running freenx generates a slew of selinux errors, many of them seem to be
related to the temporary directories that freenx creates to store session
information in /home/<user>/.nx/C-<hostname>-<display>-<hex identifier>.
The others seems to be related to sshd permissions issues.

Here are a sampling of those errors:

type=AVC msg=audit(1197264856.629:4512): avc:  denied  { append } for  pid=1845\
4 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C7\
F0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:syst\
em_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1197264856.700:4513): avc:  denied  { getattr } for  pid=184\
54 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C\
7F0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:sys\
tem_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=fil\
e
type=AVC msg=audit(1197264856.721:4514): avc:  denied  { ioctl } for  pid=18454\
 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C7F\
0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:syste\
m_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file



type=AVC msg=audit(1197265599.554:4597): avc:  denied  { execute } for  pid=200\
66 comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:\
sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1197265599.554:4597): avc:  denied  { read } for  pid=20066 \
comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:ssh\
d_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 1 Daniel Walsh 2007-12-10 18:26:19 EST
Since I have no clue how to set this up, could you tell me how you configured
it, and how you tested it?
Comment 2 Need Real Name 2007-12-11 00:57:53 EST
You can generate the errors as follows. Set up an NX client on another machine
(I use NoMachines 'free' nx client for Windows) and use it to login in to the
freenx server running on a Fedora8 host. Note that to get this to work you will
need to set up a bunch of different ssh keys. (If you need additional help in
setting this up, I can walk you through it)

In case you are not familiar with how it all works. The key to remember is that
first the (remote) client sets up an ssh connection from the client machine to
user 'nx' on the (local) nx server. Then user nx sets up a second local ssh
connection from user nx on the nx server machine to the target user on the nx
server machine.

The first pair of selinux error messages  (comm=sshd, name="nxserver" execute &
read) occur during the first ssh connection from the remote client to user nx on
the nx server machine. /usr/libexec/nx/nxserver is actually user nx's default
shell (as specified in /etc/passwd). This selinux error can be prevented by
changing the selinux context of /etc/libexec/nx/nxserver from
system_u:object_r:bin_t to system_u:object_r:shell_exec_t, presumably in keeping
with nxserver acting as a pseudo shell.

However, I'm not sure if that is the right fix or whether a change should be
made to the selinux policy file. Perhaps that is something you and Axel (the
maintainer of freenx) should discuss.

The other 3 selinux messsges (comm="pam_timestamp"
path="/home/myname/.nx/C-mymachine.mydomain-2001-<hex string>/session" append,
getattr & ioctl) occur after the second ssh connection is made and partway
through the gnome session login. When selinux is enforcing (and these actions
are blocked) the only affect I really notice is that some of the gnome panel
applet icons are missing. Note that the file
/home/myname/.nx/C-mymachine.mydomain-2001-<hex string>/session is a log file
recording communication to the nxserver, including some gnome panel and applet
messages.

Let me know if you need more info....
Comment 3 Josef Kubin 2007-12-11 15:00:21 EST
Hi, I was sick, and now I'm back.
I have reproduced it successfuly, but I don't have clue how to write a correct
new rule for selinux-policy which really works ...
I'll have to discuss it with Dan.
Thank you for patience.
Comment 4 Josef Kubin 2007-12-13 02:38:27 EST
SELinux world is constantly under development, therefore I was a little bit
confused.
Latest packages fixing your problem:
http://people.redhat.com/jkubin/selinux/
Comment 5 Need Real Name 2007-12-13 09:38:26 EST
THANKS - Looking forward to playing with them
Comment 6 Need Real Name 2007-12-18 11:24:39 EST
Any idea when these will make it into the next selinux policy updates rpm?
Comment 7 Need Real Name 2007-12-31 11:15:23 EST
I am using selinux-policy-3.0.8-72.fc8 (vs 3.0.8-69 referenced in the above
link) and *some* of the error messages still persist.

Specifically the "ioctl" and "getattr" errors have gone away.

However, I still get the "append" error:
type=AVC msg=audit(1197264856.629:4512): avc:  denied  { append } for  pid=1845\
4 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C7\
F0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:syst\
em_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file

and I also still get the two nxserver errors ("execute", "read"):
type=AVC msg=audit(1197265599.554:4597): avc:  denied  { execute } for  pid=200\
66 comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:\
sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1197265599.554:4597): avc:  denied  { read } for  pid=20066 \
comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:ssh\
d_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file


Comment 8 Josef Kubin 2008-01-07 21:00:15 EST
Yeah, old packages had some issues ... therefore I didn't commit them for
update. Now the problem is fixed - no conflict with SELinux.
http://people.redhat.com/jkubin/selinux/
Comment 9 Need Real Name 2008-01-15 13:38:40 EST
I'm still getting the following selinux errors with freenx:

denied  { execute } for  pid=3867 comm="sshd" name="nxserver" dev=sda7
ino=1146195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

denied  { read } for  pid=3867 comm="sshd" name="nxserver" dev=sda7 ino=1146195
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

denied  { append } for  pid=4965 comm="pam_timestamp_c"
path="/home/myname/.nx/C-mymachine.domain-2001-6B56685DCDB34243AEF3C0ACD57F3F22/session"
dev=sda7 ino=50960 scontext=unconfined_u:system_r:pam_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file


Am I doing something wrong since I still seem to be getting basically the same
errors. Note I am using:
selinux-policy-targeted-3.0.8-74.fc8.noarch.rpm
nx-2.1.0-22.fc7.i386.rpm
freenx-0.7.1-3.fc8

Comment 10 Josef Kubin 2008-01-15 14:16:44 EST
fixed in selinux-policy-3.0.8-77
Comment 11 Need Real Name 2008-02-07 17:05:44 EST
I have selinux-policy-3.0.8-81.fc8.noarch.rpm and I am still getting the
following nxserver errors:

denied  { execute } for  pid=29690 comm="sshd" name="nxserver" dev=sda7
ino=1146195 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

denied  { read } for  pid=29690 comm="sshd" name="nxserver" dev=sda7 ino=1146195
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 12 Josef Kubin 2008-02-21 07:52:38 EST
*Sigh* , Dan forgot to merge my patch for freenx ...
I'll ask him to do it.
Please use my packages until he really merge it.

http://people.redhat.com/jkubin/selinux/F8/

# rpm -U --replacepkgs selinux-policy-*

or

# grep '\(pam_timestamp_c\|nxserver\)' /var/log/audit/audit.log | audit2allow -M
fix4nx
# semodule -i fix4nx.pp
Comment 13 Tony Fu 2008-10-05 21:28:00 EDT
User jkubin@redhat.com's account has been closed
Comment 14 Daniel Walsh 2008-11-17 17:02:44 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.