Souhrn: SELinux is preventing xauth (xauth_t) "write" to ./auth-for-matej-sf0pgk (xdm_var_run_t). Podrobný popis: SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./auth-for-matej-sf0pgk, restorecon -v './auth-for-matej-sf0pgk' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:xauth_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:xdm_var_run_t Objekty cíle ./auth-for-matej-sf0pgk [ dir ] Zdroj xauth Cesta zdroje /usr/bin/xauth Port <Neznámé> Počítač viklef RPM balíčky zdroje xorg-x11-xauth-1.0.2-5.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 20 Poprvé viděno Út 25. listopad 2008, 16:27:39 CET Naposledy viděno Út 25. listopad 2008, 16:35:18 CET Místní ID d3cd1659-e5b2-4ade-b6d0-69ff317b781a Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227627318.33:61): avc: denied { write } for pid=5148 comm="xauth" name="auth-for-matej-sf0pgk" dev=dm-0 ino=1275405 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir node=viklef type=SYSCALL msg=audit(1227627318.33:61): arch=40000003 syscall=5 success=no exit=-13 a0=bfd78ae7 a1=c1 a2=180 a3=ffffffff items=0 ppid=5147 pid=5148 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 key=(null)
Tomáš, does it make any sense to you?
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.5.13-25.fc10
Souhrn: SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t. Podrobný popis: SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:xauth_t:s0-s0:c0.c1023 Kontext cíle staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 Objekty cíle socket [ tcp_socket ] Zdroj xauth Cesta zdroje /usr/bin/xauth Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje xorg-x11-xauth-1.0.2-5.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-40.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Počet upozornění 1 Poprvé viděno Út 27. leden 2009, 23:48:37 CET Naposledy viděno Út 27. leden 2009, 23:48:37 CET Místní ID cbcf566e-e4c2-4930-8da6-83116c6bf82a Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1233096517.847:855): avc: denied { read write } for pid=13669 comm="xauth" path="socket:[5359865]" dev=sockfs ino=5359865 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket node=viklef.ceplovi.cz type=AVC msg=audit(1233096517.847:855): avc: denied { read write } for pid=13669 comm="xauth" path="socket:[5359866]" dev=sockfs ino=5359866 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket node=viklef.ceplovi.cz type=SYSCALL msg=audit(1233096517.847:855): arch=c000003e syscall=59 success=yes exit=0 a0=e98300 a1=e96740 a2=e96330 a3=3c5c96da70 items=0 ppid=13668 pid=13669 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 key=(null)
... but vncviewer opens and works
... a sure way how to reproduce is to try vncviewer -via <remote computer> localhost:1 as staff_u user (remote computer has plain Fedora with SELinux enforcing)
What openssh n-v-r are you running?
[matej@viklef ~]$ rpm -q openssh openssh-5.1p1-3.fc10.x86_64 [matej@viklef ~]$ ssh hubmaier rpm -q openssh openssh-5.1p1-5.fc11.x86_64 [matej@viklef ~]$
Could you try to recompile the openssh-5.1p1-5.fc11 on F10 and install it on the client? It should fix the problem.
Yes, please. Thanks. Will we get an update?
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Since this bugzilla report was filed, there have been several major updates in various components of the Xorg system, which may have resolved this issue. Users who have experienced this problem are encouraged to upgrade their system to the latest version of their packages. For packages from updates-testing repository you can use command yum upgrade --enablerepo='*-updates-testing' Alternatively, you can also try to test whether this bug is reproducible with the upcoming Fedora 12 distribution by downloading LiveMedia of F12 Beta available at http://alt.fedoraproject.org/pub/alt/nightly-composes/ . By using that you get all the latest packages without need to install anything on your computer. For more information on using LiveMedia take a look at https://fedoraproject.org/wiki/FedoraLiveCD . Please, if you experience this problem on the up-to-date system, let us now in the comment for this bug, or whether the upgraded system works for you. If you won't be able to reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you. [This is a bulk message for all open Fedora Rawhide Xorg-related bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]
Just found the same issue on Fedora 12 with latest updates: Summary: SELinux is preventing /usr/bin/xauth "write" access on martin. Detailed Description: SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects martin [ dir ] Source xauth Source Path /usr/bin/xauth Port <Unknown> Host (removed) Source RPM Packages xorg-x11-xauth-1.0.2-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux javor 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 i686 Alert Count 48 First Seen Fri 20 Nov 2009 06:09:32 PM CET Last Seen Fri 20 Nov 2009 06:34:36 PM CET Local ID ccaa4b0f-fd65-4ff3-836b-5247f53a0764 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1258738476.829:124): avc: denied { write } for pid=2356 comm="xauth" name="martin" dev=dm-1 ino=139385 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1258738476.829:124): arch=40000003 syscall=5 success=no exit=-13 a0=bff95abb a1=c1 a2=180 a3=3 items=0 ppid=2355 pid=2356 auid=617 uid=617 gid=617 euid=617 suid=617 fsuid=617 egid=617 sgid=617 fsgid=617 tty=pts0 ses=4 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
This is a labeling issue, and your machine does not seem to be fully updated. Looks like an old setroubleshoot message the martin directory should not have the default label.