Bug 450153 - installed nxclient from nomachine.com and tried to make it do a localhost connection and it failed
installed nxclient from nomachine.com and tried to make it do a localhost con...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-06-05 11:55 EDT by Harish Pillay
Modified: 2008-08-01 11:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-01 11:49:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Harish Pillay 2008-06-05 11:55:08 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008043010 Fedora/3.0-0.60.beta5.fc9 Firefox/3.0b5

Description of problem:


SELinux is preventing sshd (sshd_t) "read" to authorized_keys (var_lib_t).

Detailed Description:

SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for authorized_keys,

restorecon -v 'authorized_keys'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                authorized_keys [ lnk_file ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          vivek.temasek.net
Source RPM Packages           openssh-server-5.0p1-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-55.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     vivek.temasek.net
Platform                      Linux vivek.temasek.net #1
                              SMP Tue May 13 05:38:53 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Fri 06 Jun 2008 07:41:28 AM SGT
Last Seen                     Fri 06 Jun 2008 07:48:10 AM SGT
Local ID                      518ea9f6-9075-410c-92c2-9de6883fc62e
Line Numbers                  

Raw Audit Messages            

host=vivek.temasek.net type=AVC msg=audit(1212709690.377:110): avc:  denied  { read } for  pid=11181 comm="sshd" name="authorized_keys" dev=sda7 ino=517237 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file

host=vivek.temasek.net type=SYSCALL msg=audit(1212709690.377:110): arch=40000003 syscall=195 success=no exit=-13 a0=b82f18f0 a1=bfaa86f0 a2=6d7ff4 a3=b82f18f0 items=0 ppid=2122 pid=11181 auid=4294967295 uid=0 gid=0 euid=495 suid=0 fsuid=495 egid=490 sgid=0 fsgid=490 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install freenx and nx followed by nxclient from nomachine.com
2. start nxclient and try to connect to localhost
3. selinux denial

Actual Results:
selinux denied access.  tried to run the recommended restorecon command which worked, but still failed to let nxclient through.

Expected Results:
logged in into the machine via nomachine's nxclient.

Additional info:
Comment 1 Daniel Walsh 2008-06-05 13:51:00 EDT
Do you have a symbolic link in /var/lib named authorized_keys?

What package owns it?  What is it's full path?

Note You need to log in before you can comment on or make changes to this bug.