Bug 472907 - (staff_u) When connecting with ssh -Y to other computer SELinux is preventing xauth (xauth_t) "write" to ./auth-for-matej-sf0pgk (xdm_var_run_t).
(staff_u) When connecting with ssh -Y to other computer SELinux is preventing...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: xorg-x11-xauth (Show other bugs)
11
All Linux
medium Severity medium
: ---
: ---
Assigned To: Søren Sandmann Pedersen
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-25 10:39 EST by Matěj Cepl
Modified: 2014-06-18 05:10 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-20 16:16:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-11-25 10:39:03 EST
Souhrn:

SELinux is preventing xauth (xauth_t) "write" to ./auth-for-matej-sf0pgk
(xdm_var_run_t).

Podrobný popis:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./auth-for-matej-sf0pgk,

restorecon -v './auth-for-matej-sf0pgk'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:xauth_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:xdm_var_run_t
Objekty cíle                 ./auth-for-matej-sf0pgk [ dir ]
Zdroj                         xauth
Cesta zdroje                  /usr/bin/xauth
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          xorg-x11-xauth-1.0.2-5.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           20
Poprvé viděno               Út 25. listopad 2008, 16:27:39 CET
Naposledy viděno             Út 25. listopad 2008, 16:35:18 CET
Místní ID                   d3cd1659-e5b2-4ade-b6d0-69ff317b781a
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227627318.33:61): avc:  denied  { write } for  pid=5148 comm="xauth" name="auth-for-matej-sf0pgk" dev=dm-0 ino=1275405 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir

node=viklef type=SYSCALL msg=audit(1227627318.33:61): arch=40000003 syscall=5 success=no exit=-13 a0=bfd78ae7 a1=c1 a2=180 a3=ffffffff items=0 ppid=5147 pid=5148 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 key=(null)
Comment 1 Matěj Cepl 2008-11-25 10:45:47 EST
Tomáš, does it make any sense to you?
Comment 2 Daniel Walsh 2008-11-25 11:14:01 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-25.fc10
Comment 3 Matěj Cepl 2009-01-27 17:49:27 EST
Souhrn:

SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t.

Podrobný popis:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:xauth_t:s0-s0:c0.c1023
Kontext cíle                 staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023
Objekty cíle                 socket [ tcp_socket ]
Zdroj                         xauth
Cesta zdroje                  /usr/bin/xauth
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          xorg-x11-xauth-1.0.2-5.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-40.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.27.9-159.fc10.x86_64
                              #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Út 27. leden 2009, 23:48:37 CET
Naposledy viděno             Út 27. leden 2009, 23:48:37 CET
Místní ID                   cbcf566e-e4c2-4930-8da6-83116c6bf82a
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1233096517.847:855): avc:  denied  { read write } for  pid=13669 comm="xauth" path="socket:[5359865]" dev=sockfs ino=5359865 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket

node=viklef.ceplovi.cz type=AVC msg=audit(1233096517.847:855): avc:  denied  { read write } for  pid=13669 comm="xauth" path="socket:[5359866]" dev=sockfs ino=5359866 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1233096517.847:855): arch=c000003e syscall=59 success=yes exit=0 a0=e98300 a1=e96740 a2=e96330 a3=3c5c96da70 items=0 ppid=13668 pid=13669 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 key=(null)
Comment 4 Matěj Cepl 2009-01-27 17:51:05 EST
... but vncviewer opens and works
Comment 5 Matěj Cepl 2009-01-27 17:53:24 EST
... a sure way how to reproduce is to try

vncviewer -via <remote computer> localhost:1

as staff_u user (remote computer has plain Fedora with SELinux enforcing)
Comment 6 Tomas Mraz 2009-01-28 03:45:12 EST
What openssh n-v-r are you running?
Comment 7 Matěj Cepl 2009-01-28 04:03:48 EST
[matej@viklef ~]$ rpm -q openssh
openssh-5.1p1-3.fc10.x86_64
[matej@viklef ~]$ ssh hubmaier rpm -q openssh
openssh-5.1p1-5.fc11.x86_64
[matej@viklef ~]$
Comment 8 Tomas Mraz 2009-01-28 04:55:51 EST
Could you try to recompile the openssh-5.1p1-5.fc11 on F10 and install it on the client? It should fix the problem.
Comment 9 Matěj Cepl 2009-01-28 10:37:51 EST
Yes, please. Thanks. Will we get an update?
Comment 10 Bug Zapper 2009-06-09 05:55:31 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Matěj Cepl 2009-11-05 13:20:39 EST
Since this bugzilla report was filed, there have been several major updates in various components of the Xorg system, which may have resolved this issue. Users who have experienced this problem are encouraged to upgrade their system to the latest version of their packages. For packages from updates-testing repository you can use command

yum upgrade --enablerepo='*-updates-testing'

Alternatively, you can also try to test whether this bug is reproducible with the upcoming Fedora 12 distribution by downloading LiveMedia of F12 Beta available at http://alt.fedoraproject.org/pub/alt/nightly-composes/ . By using that you get all the latest packages without need to install anything on your computer. For more information on using LiveMedia take a look at https://fedoraproject.org/wiki/FedoraLiveCD .

Please, if you experience this problem on the up-to-date system, let us now in the comment for this bug, or whether the upgraded system works for you.

If you won't be able to reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.

[This is a bulk message for all open Fedora Rawhide Xorg-related bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]
Comment 12 Martin Frydl 2009-11-20 12:37:14 EST
Just found the same issue on Fedora 12 with latest updates:

Summary:

SELinux is preventing /usr/bin/xauth "write" access on martin.

Detailed Description:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
Target Context                system_u:object_r:default_t:s0
Target Objects                martin [ dir ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xorg-x11-xauth-1.0.2-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux javor 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat
                              Nov 7 21:25:57 EST 2009 i686 i686
Alert Count                   48
First Seen                    Fri 20 Nov 2009 06:09:32 PM CET
Last Seen                     Fri 20 Nov 2009 06:34:36 PM CET
Local ID                      ccaa4b0f-fd65-4ff3-836b-5247f53a0764
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258738476.829:124): avc:  denied  { write } for  pid=2356 comm="xauth" name="martin" dev=dm-1 ino=139385 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1258738476.829:124): arch=40000003 syscall=5 success=no exit=-13 a0=bff95abb a1=c1 a2=180 a3=3 items=0 ppid=2355 pid=2356 auid=617 uid=617 gid=617 euid=617 suid=617 fsuid=617 egid=617 sgid=617 fsgid=617 tty=pts0 ses=4 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
Comment 13 Daniel Walsh 2009-11-20 16:16:00 EST
This is a labeling issue, and your machine does not seem to be fully updated.  Looks like an old setroubleshoot message

the martin directory should not have the default label.

Note You need to log in before you can comment on or make changes to this bug.