Description of problem: Running freenx generates a slew of selinux errors, many of them seem to be related to the temporary directories that freenx creates to store session information in /home/<user>/.nx/C-<hostname>-<display>-<hex identifier>. The others seems to be related to sshd permissions issues. Here are a sampling of those errors: type=AVC msg=audit(1197264856.629:4512): avc: denied { append } for pid=1845\ 4 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C7\ F0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:syst\ em_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1197264856.700:4513): avc: denied { getattr } for pid=184\ 54 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C\ 7F0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:sys\ tem_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=fil\ e type=AVC msg=audit(1197264856.721:4514): avc: denied { ioctl } for pid=18454\ comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C7F\ 0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:syste\ m_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1197265599.554:4597): avc: denied { execute } for pid=200\ 66 comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:\ sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1197265599.554:4597): avc: denied { read } for pid=20066 \ comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:ssh\ d_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
Since I have no clue how to set this up, could you tell me how you configured it, and how you tested it?
You can generate the errors as follows. Set up an NX client on another machine (I use NoMachines 'free' nx client for Windows) and use it to login in to the freenx server running on a Fedora8 host. Note that to get this to work you will need to set up a bunch of different ssh keys. (If you need additional help in setting this up, I can walk you through it) In case you are not familiar with how it all works. The key to remember is that first the (remote) client sets up an ssh connection from the client machine to user 'nx' on the (local) nx server. Then user nx sets up a second local ssh connection from user nx on the nx server machine to the target user on the nx server machine. The first pair of selinux error messages (comm=sshd, name="nxserver" execute & read) occur during the first ssh connection from the remote client to user nx on the nx server machine. /usr/libexec/nx/nxserver is actually user nx's default shell (as specified in /etc/passwd). This selinux error can be prevented by changing the selinux context of /etc/libexec/nx/nxserver from system_u:object_r:bin_t to system_u:object_r:shell_exec_t, presumably in keeping with nxserver acting as a pseudo shell. However, I'm not sure if that is the right fix or whether a change should be made to the selinux policy file. Perhaps that is something you and Axel (the maintainer of freenx) should discuss. The other 3 selinux messsges (comm="pam_timestamp" path="/home/myname/.nx/C-mymachine.mydomain-2001-<hex string>/session" append, getattr & ioctl) occur after the second ssh connection is made and partway through the gnome session login. When selinux is enforcing (and these actions are blocked) the only affect I really notice is that some of the gnome panel applet icons are missing. Note that the file /home/myname/.nx/C-mymachine.mydomain-2001-<hex string>/session is a log file recording communication to the nxserver, including some gnome panel and applet messages. Let me know if you need more info....
Hi, I was sick, and now I'm back. I have reproduced it successfuly, but I don't have clue how to write a correct new rule for selinux-policy which really works ... I'll have to discuss it with Dan. Thank you for patience.
SELinux world is constantly under development, therefore I was a little bit confused. Latest packages fixing your problem: http://people.redhat.com/jkubin/selinux/
THANKS - Looking forward to playing with them
Any idea when these will make it into the next selinux policy updates rpm?
I am using selinux-policy-3.0.8-72.fc8 (vs 3.0.8-69 referenced in the above link) and *some* of the error messages still persist. Specifically the "ioctl" and "getattr" errors have gone away. However, I still get the "append" error: type=AVC msg=audit(1197264856.629:4512): avc: denied { append } for pid=1845\ 4 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.mydomain-2001-7A1C7\ F0998BC2108FE07A4A47CB0C9B8/session" dev=sda7 ino=228095 scontext=system_u:syst\ em_r:pam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file and I also still get the two nxserver errors ("execute", "read"): type=AVC msg=audit(1197265599.554:4597): avc: denied { execute } for pid=200\ 66 comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:\ sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1197265599.554:4597): avc: denied { read } for pid=20066 \ comm="sshd" name="nxserver" dev=sda7 ino=1684433 scontext=system_u:system_r:ssh\ d_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
Yeah, old packages had some issues ... therefore I didn't commit them for update. Now the problem is fixed - no conflict with SELinux. http://people.redhat.com/jkubin/selinux/
I'm still getting the following selinux errors with freenx: denied { execute } for pid=3867 comm="sshd" name="nxserver" dev=sda7 ino=1146195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file denied { read } for pid=3867 comm="sshd" name="nxserver" dev=sda7 ino=1146195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file denied { append } for pid=4965 comm="pam_timestamp_c" path="/home/myname/.nx/C-mymachine.domain-2001-6B56685DCDB34243AEF3C0ACD57F3F22/session" dev=sda7 ino=50960 scontext=unconfined_u:system_r:pam_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file Am I doing something wrong since I still seem to be getting basically the same errors. Note I am using: selinux-policy-targeted-3.0.8-74.fc8.noarch.rpm nx-2.1.0-22.fc7.i386.rpm freenx-0.7.1-3.fc8
fixed in selinux-policy-3.0.8-77
I have selinux-policy-3.0.8-81.fc8.noarch.rpm and I am still getting the following nxserver errors: denied { execute } for pid=29690 comm="sshd" name="nxserver" dev=sda7 ino=1146195 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file denied { read } for pid=29690 comm="sshd" name="nxserver" dev=sda7 ino=1146195 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
*Sigh* , Dan forgot to merge my patch for freenx ... I'll ask him to do it. Please use my packages until he really merge it. http://people.redhat.com/jkubin/selinux/F8/ # rpm -U --replacepkgs selinux-policy-* or # grep '\(pam_timestamp_c\|nxserver\)' /var/log/audit/audit.log | audit2allow -M fix4nx # semodule -i fix4nx.pp
User jkubin's account has been closed
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.