Bug 475866 - (staff_u) SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t.
Summary: (staff_u) SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-10 20:54 UTC by Matěj Cepl
Modified: 2018-04-11 14:20 UTC (History)
5 users (show)

Fixed In Version: openssh-5.1p1-4.fc11
Clone Of:
Environment:
Last Closed: 2009-02-12 15:39:26 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2008-12-10 20:54:35 UTC
I get this anytime I run ssh -Y from the computer with staff_u enabled. I don't think that ssh -Y is something so horrible to be avoided, right?

---------------------
SELinux is preventing xauth (xauth_t) "read write" staff_ssh_t.

Podrobný popis:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:xauth_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:staff_r:staff_ssh_t:SystemLow-SystemHigh
Objekty cíle                 socket [ tcp_socket ]
Zdroj                         xauth
Cesta zdroje                  /usr/bin/xauth
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          xorg-x11-xauth-1.0.2-5.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-30.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           3
Poprvé viděno               St 10. prosinec 2008, 12:18:53 CET
Naposledy viděno             St 10. prosinec 2008, 14:34:42 CET
Místní ID                   3557195a-07f8-4975-8688-6767dc96c1c1
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228916082.717:13514): avc:  denied  { read write } for  pid=8102 comm="xauth" path="socket:[5989399]" dev=sockfs ino=5989399 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket

node=viklef type=AVC msg=audit(1228916082.717:13514): avc:  denied  { read write } for  pid=8102 comm="xauth" path="socket:[5989400]" dev=sockfs ino=5989400 scontext=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tclass=tcp_socket

node=viklef type=SYSCALL msg=audit(1228916082.717:13514): arch=40000003 syscall=11 success=yes exit=0 a0=9563888 a1=9562e40 a2=9562088 a3=0 items=0 ppid=8101 pid=8102 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-12-11 13:50:21 UTC
This looks like sshd is leaking the file descriptor to the tcp socket?  This socket should not be availble to tools execed by ssh, I believe.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Comment 2 Tomas Mraz 2008-12-11 20:40:47 UTC
We already set FD_CLOEXEC on the tcp socket on client. So I am really curious what the tcp socket which is passed to xauth is. I need a 'lsof -c ssh -Z' output generated at the time when you get the AVC.

Comment 3 Matěj Cepl 2008-12-16 14:02:51 UTC
Tomáš, didn't we resolve on IRC, that it is

vncviewer -via <name> localhost:3

problem?

Comment 4 Tomas Mraz 2008-12-16 14:52:27 UTC
Yep, the channel sockets have to be FD_CLOEXECed too. The current rawhide already contains the fix.


Note You need to log in before you can comment on or make changes to this bug.